Malware Analysis Report

2025-03-14 22:31

Sample ID 240407-xtbzjsbg8z
Target e5a6277276007273a63888300de78ced_JaffaCakes118
SHA256 b021bc0f300ed44580b75b788c6553e384077c138b0a3d7343abfb0ae0fcc17c
Tags
evasion persistence trojan upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b021bc0f300ed44580b75b788c6553e384077c138b0a3d7343abfb0ae0fcc17c

Threat Level: Likely malicious

The file e5a6277276007273a63888300de78ced_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

evasion persistence trojan upx

Modifies AppInit DLL entries

Sets file execution options in registry

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Checks for any installed AV software in registry

Checks whether UAC is enabled

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Modifies registry class

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Runs ping.exe

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 19:08

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 19:08

Reported

2024-04-07 19:11

Platform

win7-20240221-en

Max time kernel

162s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe"

Signatures

Modifies AppInit DLL entries

persistence

Sets file execution options in registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\com\lsass.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService C:\Windows\SysWOW64\com\lsass.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\com\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\com\lsass.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\SysWOW64\com\lsass.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\com\lsass.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification D:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification \??\E:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\com\netcfg.000 C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification \??\c:\windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\bak C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\com\smss.exe C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\com\lsass.exe \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log N/A
File created C:\Windows\SysWOW64\00302.log C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\smss.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\smss.exe \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log N/A
File created C:\Windows\SysWOW64\00302.log C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\com\smss.exe C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\com\lsass.exe \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log N/A
File opened for modification C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\259435558.log C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\259435558.log C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\dnsq.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\dnsq.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\00302.log \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log N/A
File opened for modification C:\Windows\SysWOW64\com\netcfg.000 C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\netcfg.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\com\netcfg.dll C:\Windows\SysWOW64\com\lsass.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\com\lsass.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\ C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\com\lsass.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2380 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2380 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2380 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2380 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2380 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2380 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2380 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2380 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log
PID 2380 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log
PID 2380 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log
PID 2380 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log
PID 2556 wrote to memory of 2756 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2756 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2756 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2756 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2972 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2556 wrote to memory of 2972 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2556 wrote to memory of 2972 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2556 wrote to memory of 2972 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2556 wrote to memory of 2564 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2556 wrote to memory of 2564 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2556 wrote to memory of 2564 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2556 wrote to memory of 2564 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2556 wrote to memory of 2708 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2556 wrote to memory of 2708 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2556 wrote to memory of 2708 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2556 wrote to memory of 2708 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2556 wrote to memory of 2712 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2556 wrote to memory of 2712 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2556 wrote to memory of 2712 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2556 wrote to memory of 2712 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2556 wrote to memory of 2432 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2432 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2432 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2432 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 1032 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 1032 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 1032 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 1032 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 1036 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2556 wrote to memory of 1036 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2556 wrote to memory of 1036 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2556 wrote to memory of 1036 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2556 wrote to memory of 860 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe
PID 2556 wrote to memory of 860 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe
PID 2556 wrote to memory of 860 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe
PID 2556 wrote to memory of 860 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe
PID 2556 wrote to memory of 1920 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2556 wrote to memory of 1920 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2556 wrote to memory of 1920 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2556 wrote to memory of 1920 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 1036 wrote to memory of 2396 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 2396 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 2396 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 2396 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 1508 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1036 wrote to memory of 1508 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1036 wrote to memory of 1508 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1036 wrote to memory of 1508 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

\??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log

"c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"

C:\Windows\SysWOW64\com\lsass.exe

"C:\Windows\system32\com\lsass.exe"

C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe

"C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\com\lsass.exe

^c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s

C:\Windows\SysWOW64\com\smss.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"

C:\Windows\SysWOW64\ping.exe

ping.exe -f -n 1 www.baidu.com

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x54c

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 js.k0102.com udp
DE 185.53.179.173:80 js.k0102.com tcp
US 8.8.8.8:53 d38psrni17bvxu.cloudfront.net udp
FR 52.222.196.210:80 d38psrni17bvxu.cloudfront.net tcp
US 8.8.8.8:53 ifdnzact.com udp
US 208.91.196.46:80 ifdnzact.com tcp

Files

memory/2380-0-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log

MD5 e5a6277276007273a63888300de78ced
SHA1 df701eeb5f7416346e6381491b90e8f2ac1dd440
SHA256 b021bc0f300ed44580b75b788c6553e384077c138b0a3d7343abfb0ae0fcc17c
SHA512 e162b2e8ecd2547d7873aa18bf5753f88ef8275e155638c4865763c6a45fcaa63dfaeed3081b945dbc397ca711282eeafb6a03a2e588127d11b4bf54456d4962

memory/2380-13-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2556-15-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Windows\SysWOW64\com\smss.exe

MD5 ae1cd1d740c265b7f18f827f9e37afab
SHA1 6b976bc56e4021e7237b3cd4dbe412b6949fb0a0
SHA256 a961e4f09ebcf11e1e384361d20d4ac031b3c159b9e6d50e3b4612102bef2a11
SHA512 c8f973cbece698f0701171be501c5c24fb77345c05c136ba992b97f74b81c0487e4039c5bb9b43176cc3815e8f2181377811a8a4d8fb08f741fa304767b50571

\Windows\SysWOW64\com\lsass.exe

MD5 4312ee3e467cdf66c65cb353791be8e2
SHA1 d93ce11b08d50a5c19fb644831bafd5555599b0d
SHA256 f71e3da0d6b9b29aa763763536fda82e942945717a3f1d17ee5d7fa9397c9dba
SHA512 64707bd32445f8f2c493a8a70c161e54c5ca38aea2fd48f9662b30f148730cadd6cf030fe0960cc6b653ee32c62b267738d4754799c6e9f58ef258fccaed88ca

memory/2556-31-0x0000000002A10000-0x0000000002A3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe

MD5 716c95c2970a1b435bc4bb3e2eab74f2
SHA1 b8227c49acf9fd301661a70d92bca9c7a131d3c0
SHA256 6630352f2082f4e6f552548680a3bcbd1f3bed3fbfaa544203fec4864d8f28f4
SHA512 e902d2bb0615feac0f87d0c992c97842351a975ef0230e6fbb50f0eff13be2b58960d86b63fd19ef7fae4bc1f25427d8f447b093e40f10a90a6d429bb85ca67a

memory/2556-42-0x0000000002A10000-0x0000000003398000-memory.dmp

memory/2556-55-0x0000000002A10000-0x0000000003398000-memory.dmp

memory/2556-57-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2556-56-0x0000000002A10000-0x0000000002A3C000-memory.dmp

memory/860-58-0x0000000000400000-0x0000000000D88000-memory.dmp

C:\NetApi000.sys

MD5 e2b6ea39dfdfc7ceb3dca68a16e25b58
SHA1 6256d32b524de4fa1d888e69aba68054e2d9fc44
SHA256 bf31a7cd97c36fe013f970a6bfa59d81dd19c9c72c33f916cd75b1e516cce5cf
SHA512 41c8dbf33a2a56c6ce4fe8fda7c2c2cf5bbf02a3161c6c17deddb1cb6ed79775e8e424f244b42ec9aba1134c63f0931fe82809cf4855aa331ce0e160ddf7ddd7

memory/1920-63-0x0000000000400000-0x000000000042C000-memory.dmp

memory/860-64-0x0000000000120000-0x0000000000121000-memory.dmp

C:\Windows\SysWOW64\com\netcfg.000

MD5 d1f6b9273cbb2e23aeed11346d0072c5
SHA1 0d012a7c7b37082dcbd5e1688f72eeade705f825
SHA256 dfb2d7cdc6ea056948d09fe139255af2dcc58f3581f4a50f4e5ee0f5a03c39fc
SHA512 4c3ab878131ad38a54d04cf0d268430ab98a67df474a18ee7858c62561d90ec14c34ed63dd973fdf24115ebf17ef65a6a9fc9ac612c247903e881e584dc3b77e

\Windows\SysWOW64\dnsq.dll

MD5 43afc709415b0dfb297dab1209d993b4
SHA1 41c01847c7533aa848ae3f1b82535385857693ed
SHA256 70a6d9489cbb1d3384780f0529c9b32e537e24bdf13c315d7b8e6b3d9d14fc8f
SHA512 a84cade3177e0d1b0672082faebca2a728f69f97750b080bd43a1567307e3b253b48e102adb7fb20ca48d882cb7094a8e1a7a0f816def1acca6072f3a21aaa91

memory/1036-86-0x0000000010000000-0x0000000010018000-memory.dmp

memory/860-89-0x0000000010000000-0x0000000010018000-memory.dmp

memory/860-90-0x00000000770F0000-0x0000000077200000-memory.dmp

memory/860-91-0x00000000770F0000-0x0000000077200000-memory.dmp

memory/944-95-0x0000000010000000-0x0000000010018000-memory.dmp

memory/860-96-0x00000000069C0000-0x00000000069C1000-memory.dmp

memory/1036-101-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1036-102-0x0000000000400000-0x000000000042C000-memory.dmp

memory/860-104-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/860-105-0x0000000010000000-0x0000000010018000-memory.dmp

memory/860-107-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/860-108-0x0000000000120000-0x0000000000121000-memory.dmp

memory/860-109-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1036-110-0x0000000000400000-0x000000000042C000-memory.dmp

memory/860-112-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/860-113-0x0000000010000000-0x0000000010018000-memory.dmp

memory/860-115-0x00000000069C0000-0x00000000069C1000-memory.dmp

memory/1036-116-0x0000000000400000-0x000000000042C000-memory.dmp

memory/860-118-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/860-119-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1036-121-0x0000000000400000-0x000000000042C000-memory.dmp

memory/860-123-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/860-124-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1036-126-0x0000000000400000-0x000000000042C000-memory.dmp

memory/860-128-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/860-129-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1036-131-0x0000000000400000-0x000000000042C000-memory.dmp

memory/860-134-0x0000000010000000-0x0000000010018000-memory.dmp

memory/860-133-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/1036-136-0x0000000000400000-0x000000000042C000-memory.dmp

memory/860-138-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/860-139-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1036-141-0x0000000000400000-0x000000000042C000-memory.dmp

memory/860-144-0x0000000010000000-0x0000000010018000-memory.dmp

memory/860-143-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/1036-146-0x0000000000400000-0x000000000042C000-memory.dmp

memory/860-148-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/860-149-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1036-151-0x0000000000400000-0x000000000042C000-memory.dmp

memory/860-153-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/860-154-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1036-156-0x0000000000400000-0x000000000042C000-memory.dmp

memory/860-158-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/860-159-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1036-161-0x0000000000400000-0x000000000042C000-memory.dmp

memory/860-163-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/860-164-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1036-171-0x0000000000400000-0x000000000042C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 19:08

Reported

2024-04-07 19:10

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe"

Signatures

Modifies AppInit DLL entries

persistence

Sets file execution options in registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\com\lsass.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\com\lsass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService C:\Windows\SysWOW64\com\lsass.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\com\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\com\lsass.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\SysWOW64\com\lsass.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\com\lsass.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification D:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification \??\E:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\com\smss.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\smss.exe C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\com\lsass.exe \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log N/A
File created C:\Windows\SysWOW64\com\netcfg.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification \??\c:\windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\240599594.log C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\dnsq.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\00302.log \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log N/A
File created C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\dnsq.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\bak C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\com\lsass.exe \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log N/A
File created C:\Windows\SysWOW64\com\smss.exe C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\com\smss.exe \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log N/A
File created C:\Windows\SysWOW64\00302.log C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\netcfg.000 C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\netcfg.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\com\netcfg.000 C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\240599594.log C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\00302.log C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Driver C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LocationInformation C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LocationInformation C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\com\lsass.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3628 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 3628 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 3628 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 3628 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 3628 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 3628 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 3628 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log
PID 3628 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log
PID 3628 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log
PID 2704 wrote to memory of 1064 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1064 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1064 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4312 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2704 wrote to memory of 4312 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2704 wrote to memory of 4312 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2704 wrote to memory of 3368 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2704 wrote to memory of 3368 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2704 wrote to memory of 3368 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2704 wrote to memory of 3808 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2704 wrote to memory of 3808 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2704 wrote to memory of 3808 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2704 wrote to memory of 2848 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2704 wrote to memory of 2848 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2704 wrote to memory of 2848 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2704 wrote to memory of 2084 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2084 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2084 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2160 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2160 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2160 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1960 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2704 wrote to memory of 1960 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2704 wrote to memory of 1960 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2704 wrote to memory of 1288 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe
PID 2704 wrote to memory of 1288 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe
PID 2704 wrote to memory of 1288 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe
PID 2704 wrote to memory of 2780 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2704 wrote to memory of 2780 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2704 wrote to memory of 2780 N/A \??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 1960 wrote to memory of 4052 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 4052 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 4052 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 2172 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1960 wrote to memory of 2172 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1960 wrote to memory of 2172 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1960 wrote to memory of 1120 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1960 wrote to memory of 1120 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1960 wrote to memory of 1120 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1960 wrote to memory of 4304 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1960 wrote to memory of 4304 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1960 wrote to memory of 4304 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1960 wrote to memory of 4740 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1960 wrote to memory of 4740 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1960 wrote to memory of 4740 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1960 wrote to memory of 4640 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1960 wrote to memory of 4640 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1960 wrote to memory of 4640 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1960 wrote to memory of 4680 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1960 wrote to memory of 4680 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1960 wrote to memory of 4680 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1960 wrote to memory of 3940 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

\??\c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log

"c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"

C:\Windows\SysWOW64\com\lsass.exe

"C:\Windows\system32\com\lsass.exe"

C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe

"C:\Users\Admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe"

C:\Windows\SysWOW64\com\lsass.exe

^c:\users\admin\appdata\local\temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s

C:\Windows\SysWOW64\com\smss.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"

C:\Windows\SysWOW64\ping.exe

ping.exe -f -n 1 www.baidu.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 js.k0102.com udp
DE 185.53.179.173:80 js.k0102.com tcp
US 8.8.8.8:53 173.179.53.185.in-addr.arpa udp
US 8.8.8.8:53 d38psrni17bvxu.cloudfront.net udp
FR 52.222.196.23:80 d38psrni17bvxu.cloudfront.net tcp
US 8.8.8.8:53 ifdnzact.com udp
US 208.91.196.46:80 ifdnzact.com tcp
US 8.8.8.8:53 23.196.222.52.in-addr.arpa udp
US 8.8.8.8:53 46.196.91.208.in-addr.arpa udp

Files

memory/3628-0-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_jaffacakes118.exe.log

MD5 e5a6277276007273a63888300de78ced
SHA1 df701eeb5f7416346e6381491b90e8f2ac1dd440
SHA256 b021bc0f300ed44580b75b788c6553e384077c138b0a3d7343abfb0ae0fcc17c
SHA512 e162b2e8ecd2547d7873aa18bf5753f88ef8275e155638c4865763c6a45fcaa63dfaeed3081b945dbc397ca711282eeafb6a03a2e588127d11b4bf54456d4962

memory/3628-10-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2704-11-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Windows\SysWOW64\com\smss.exe

MD5 ae1cd1d740c265b7f18f827f9e37afab
SHA1 6b976bc56e4021e7237b3cd4dbe412b6949fb0a0
SHA256 a961e4f09ebcf11e1e384361d20d4ac031b3c159b9e6d50e3b4612102bef2a11
SHA512 c8f973cbece698f0701171be501c5c24fb77345c05c136ba992b97f74b81c0487e4039c5bb9b43176cc3815e8f2181377811a8a4d8fb08f741fa304767b50571

C:\Users\Admin\AppData\Local\Temp\e5a6277276007273a63888300de78ced_jaffacakes118.~

MD5 716c95c2970a1b435bc4bb3e2eab74f2
SHA1 b8227c49acf9fd301661a70d92bca9c7a131d3c0
SHA256 6630352f2082f4e6f552548680a3bcbd1f3bed3fbfaa544203fec4864d8f28f4
SHA512 e902d2bb0615feac0f87d0c992c97842351a975ef0230e6fbb50f0eff13be2b58960d86b63fd19ef7fae4bc1f25427d8f447b093e40f10a90a6d429bb85ca67a

C:\Windows\SysWOW64\com\lsass.exe

MD5 4312ee3e467cdf66c65cb353791be8e2
SHA1 d93ce11b08d50a5c19fb644831bafd5555599b0d
SHA256 f71e3da0d6b9b29aa763763536fda82e942945717a3f1d17ee5d7fa9397c9dba
SHA512 64707bd32445f8f2c493a8a70c161e54c5ca38aea2fd48f9662b30f148730cadd6cf030fe0960cc6b653ee32c62b267738d4754799c6e9f58ef258fccaed88ca

memory/1960-36-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1288-40-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/2704-41-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2780-42-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2780-43-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1288-44-0x0000000001E10000-0x0000000001E11000-memory.dmp

C:\NetApi000.sys

MD5 e2b6ea39dfdfc7ceb3dca68a16e25b58
SHA1 6256d32b524de4fa1d888e69aba68054e2d9fc44
SHA256 bf31a7cd97c36fe013f970a6bfa59d81dd19c9c72c33f916cd75b1e516cce5cf
SHA512 41c8dbf33a2a56c6ce4fe8fda7c2c2cf5bbf02a3161c6c17deddb1cb6ed79775e8e424f244b42ec9aba1134c63f0931fe82809cf4855aa331ce0e160ddf7ddd7

memory/1288-51-0x0000000005F90000-0x0000000005F91000-memory.dmp

C:\Windows\SysWOW64\Com\netcfg.000

MD5 d1f6b9273cbb2e23aeed11346d0072c5
SHA1 0d012a7c7b37082dcbd5e1688f72eeade705f825
SHA256 dfb2d7cdc6ea056948d09fe139255af2dcc58f3581f4a50f4e5ee0f5a03c39fc
SHA512 4c3ab878131ad38a54d04cf0d268430ab98a67df474a18ee7858c62561d90ec14c34ed63dd973fdf24115ebf17ef65a6a9fc9ac612c247903e881e584dc3b77e

C:\Windows\SysWOW64\dnsq.dll

MD5 43afc709415b0dfb297dab1209d993b4
SHA1 41c01847c7533aa848ae3f1b82535385857693ed
SHA256 70a6d9489cbb1d3384780f0529c9b32e537e24bdf13c315d7b8e6b3d9d14fc8f
SHA512 a84cade3177e0d1b0672082faebca2a728f69f97750b080bd43a1567307e3b253b48e102adb7fb20ca48d882cb7094a8e1a7a0f816def1acca6072f3a21aaa91

memory/1960-69-0x0000000010000000-0x0000000010018000-memory.dmp

memory/2640-77-0x0000000010000000-0x0000000010010000-memory.dmp

memory/1288-78-0x0000000010000000-0x0000000010018000-memory.dmp

memory/5020-80-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1960-94-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1960-95-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1288-96-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/1288-97-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1960-98-0x0000000000400000-0x000000000042C000-memory.dmp

memory/5020-99-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1288-100-0x0000000001E10000-0x0000000001E11000-memory.dmp

memory/1288-101-0x0000000005F90000-0x0000000005F91000-memory.dmp

memory/1960-102-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1288-104-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/1288-105-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1960-107-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1288-109-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/1288-110-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1960-112-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1288-114-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/1288-115-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1960-117-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1288-119-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/1288-120-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1960-122-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1288-124-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/1288-125-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1960-127-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1288-129-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/1288-130-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1960-132-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1288-134-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/1288-135-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1960-137-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1288-139-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/1288-140-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1960-142-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1288-144-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/1288-145-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1960-147-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1288-149-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/1288-150-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1960-152-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1288-154-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/1288-155-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1960-161-0x0000000000400000-0x000000000042C000-memory.dmp