Malware Analysis Report

2024-11-30 02:48

Sample ID 240407-ww2sbaag5y
Target e58f0bcf615df4b26169339651be6114_JaffaCakes118
SHA256 92ae68a5737f666210c1181caf139dce5d13a8a2cba75ca64d357d112c6a588a
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

92ae68a5737f666210c1181caf139dce5d13a8a2cba75ca64d357d112c6a588a

Threat Level: Shows suspicious behavior

The file e58f0bcf615df4b26169339651be6114_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:17

Reported

2024-04-07 18:19

Platform

win7-20240221-en

Max time kernel

150s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Journal\Journal.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\misc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\virDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 2240 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 2240 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 2240 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 1536 wrote to memory of 1412 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1536 wrote to memory of 1412 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1756 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe
PID 1756 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe
PID 1756 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe
PID 1756 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a823A.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\$$a823A.bat

MD5 4fa272b1a312107835aebdcb0089d2e9
SHA1 24b3103f362f225b74ff75b3bcec9469329b7e76
SHA256 dbe986f3db3fa9749e6ac8ac279695db6a34f46afa4b1f665a89357c107d9003
SHA512 da3a997633592a27b3b193b265c9a2fb82573f46216a22f7b236563216d77cea8cd73a3ebf140006737912de6e5502a0693ec82db28e96d06a518e6c7c4e2899

memory/2240-13-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Windows\Logo1_.exe

MD5 e35aa64b0d75b2c2c1abfd99486c0055
SHA1 ab0978f8dbbbc5a7d4794d26ebb932121dd73523
SHA256 6ae6691351eea341617f1505fc2e6436881483f7aa829067065f2fb730c9f34f
SHA512 f67952d547d17daf75489dea69fc363cc68e428976e058638c490e57512c4acf2b463f97d71bded075e893eae53cc9b31a4a5337f88c464d170c9403eb6bfb80

memory/1412-19-0x0000000002580000-0x0000000002581000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe.exe

MD5 3df8bca2648d9fafbc94e92beb0462a2
SHA1 1e0e54e159def40fe7271137ba574ead8252f1bf
SHA256 b775c564cdef8c03156e241c8c2d257b7fe98648020b8847122c94acd53002a4
SHA512 5c64cc2b043783b426ee5f0955719f14481da8c1cd61a58a718ad400ac14c5af68e7dd379df6ed496ac10309b91b0f91761ecfdd605d96ce13f07a0a18abeb05

memory/1536-240-0x0000000000400000-0x0000000000422000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:17

Reported

2024-04-07 18:19

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77625\java.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{CF7C447C-1801-4EDB-B846-242A67BD0D01}\chrome_installer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeComRegisterShellARM64.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe N/A
File created C:\Windows\virDll.dll C:\Windows\Logo1_.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 2064 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 2064 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 3344 wrote to memory of 3508 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 3344 wrote to memory of 3508 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 3032 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe
PID 3032 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe
PID 3032 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a277D.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2064-7-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Windows\Logo1_.exe

MD5 e35aa64b0d75b2c2c1abfd99486c0055
SHA1 ab0978f8dbbbc5a7d4794d26ebb932121dd73523
SHA256 6ae6691351eea341617f1505fc2e6436881483f7aa829067065f2fb730c9f34f
SHA512 f67952d547d17daf75489dea69fc363cc68e428976e058638c490e57512c4acf2b463f97d71bded075e893eae53cc9b31a4a5337f88c464d170c9403eb6bfb80

C:\Program Files\7-Zip\7zFM.exe

MD5 ebffbbea1b28d95d126388ce8d31bdc2
SHA1 a3b8670345211f16de44f64bb7892ae981e5d163
SHA256 de55edb798ac716ebdd00c45d1d418685d2027d53dcbdaa14cb3241611dddfe4
SHA512 7fa7c15b1e9afb5976fe0b59bd1ce372fe390340c583b40789c647cc40e81d27e75d04c214b58b7d7e48a71da8d0841df32609851e914957d2fc3a57de6bdc6d

C:\Users\Admin\AppData\Local\Temp\$$a277D.bat

MD5 c2aae91370cea1ff26630f97eb5a3cdb
SHA1 988ade2cb6b7f4be5ce5deec3b78662eb9ec524f
SHA256 b4920caca34a859c9f3c7a28b27c852c6ba280a12ce27ee4635ad7f10139eb69
SHA512 fb118de235d04a291c4fef2bfd19ece703bd271c8b2e10e6358a1cac3f72434a45a8f8184eca88adb5da8b27ac54b022648eb6924f76e8f51e17c0fada1740a5

C:\Users\Admin\AppData\Local\Temp\e58f0bcf615df4b26169339651be6114_JaffaCakes118.exe.exe

MD5 3df8bca2648d9fafbc94e92beb0462a2
SHA1 1e0e54e159def40fe7271137ba574ead8252f1bf
SHA256 b775c564cdef8c03156e241c8c2d257b7fe98648020b8847122c94acd53002a4
SHA512 5c64cc2b043783b426ee5f0955719f14481da8c1cd61a58a718ad400ac14c5af68e7dd379df6ed496ac10309b91b0f91761ecfdd605d96ce13f07a0a18abeb05

memory/3344-222-0x0000000000400000-0x0000000000422000-memory.dmp