Malware Analysis Report

2025-06-16 05:07

Sample ID 240409-bywzmadg6y
Target e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118
SHA256 d4cb0f461af9d253c3bd6a808e2a66f49bf9e20af31d789faa682b78887273f3
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4cb0f461af9d253c3bd6a808e2a66f49bf9e20af31d789faa682b78887273f3

Threat Level: Known bad

The file e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Modifies file permissions

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 01:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 01:33

Reported

2024-04-09 01:36

Platform

win7-20240221-en

Max time kernel

168s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b9b99fff-7a4f-45f1-86dc-3d8cf48d7ffd\\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 2796 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 2796 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 2796 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 2796 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 2796 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 2796 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 2796 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 2796 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 2796 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 2796 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 2952 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2952 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2952 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2952 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2952 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 2952 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 2952 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 2952 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\b9b99fff-7a4f-45f1-86dc-3d8cf48d7ffd" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 securebiz.org udp

Files

memory/2796-0-0x0000000000340000-0x00000000003D2000-memory.dmp

memory/2796-1-0x0000000000340000-0x00000000003D2000-memory.dmp

memory/2796-3-0x0000000002210000-0x000000000232B000-memory.dmp

memory/2952-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2952-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2952-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2952-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\b9b99fff-7a4f-45f1-86dc-3d8cf48d7ffd\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe

MD5 e8e930faa09a1b2a7dd07ba412b70ad8
SHA1 1af64e7e5c6cd6a6089196669809f0aac1d89b6b
SHA256 d4cb0f461af9d253c3bd6a808e2a66f49bf9e20af31d789faa682b78887273f3
SHA512 72061072c56fb650de78ea8e54e76be657ccf9dba3fdcf50619072e4774dc95faf8542cb1cd0de4ab933f14d61719a6b7a7cdf3fbe3b22ef34900529fa17d2ff

memory/772-27-0x0000000000230000-0x00000000002C2000-memory.dmp

memory/2952-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/772-29-0x0000000000230000-0x00000000002C2000-memory.dmp

memory/772-34-0x0000000000230000-0x00000000002C2000-memory.dmp

memory/2660-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2660-36-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 580071ebd24cccfd9268e1474bb8134e
SHA1 443665efe7009fe1d4c5bc4786dc9cc540e59ef6
SHA256 53e3fd53196b53d23b724612cf2704518edf3e979dca02f5674ac419b5f7b461
SHA512 13d52455d8a30a0af06c420cd01f13f55efc4c55b59883c5208bf4929352e7b783557bff6a157c4fc71a8e7cbfadf00d55eef8ebef4b984624d8feb116a960a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 79fb99dd44a0f7987b210a1da04ae809
SHA1 c6d60541f61851fb7031a685bfe1fdd6dfefd5ec
SHA256 12cba2b8a78ba8b52169f230d3dfa297147e15accc15eb8526594eea0931557d
SHA512 ffb98b8cadf44a03c13a6316e9d97c00a2fc420934fd2c93729dd451c9cfa97dfc1103215914db66b03351445a63867298fe19414dc824547066896993f69bab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 5135ac9ee4c954e304e0a577fa04e560
SHA1 a882425a11fbfa417905366a2d62b501289d1dc5
SHA256 1cf4f916b79342b7f1674556dca2765e407417a99f0aa764e1d1742970dfbb44
SHA512 9218fdbb8b543b8e4f3166db219dfe50578b4fc6d65e75d691e14842518ef00afc5d783385e3035d5219461d052c0dd45e8724ef24c1690a050366b718bf658b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff11847c2a4d75d37f4a1ebbce712363
SHA1 41c9b8be2db0f9176f159199f1419cf858512567
SHA256 4bf55fc52341a1a5d616cf177208b124dc05991026b4b8dc1777e44d5769c41a
SHA512 c4f3c2118595e3a63245298ca969c40e00506ce01eeaa23b82912aba10930d68eb0c84d9b580719dac7157c427b95b45241648b85a1b16cfcd5af8914d3d368c

C:\Users\Admin\AppData\Local\Temp\CabB76.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2660-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2660-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2660-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2660-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2660-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2660-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2660-59-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 01:33

Reported

2024-04-09 01:36

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2f683abf-d8f6-4ae1-a1dc-2274929f9016\\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 1760 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 1760 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 1760 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 1760 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 1760 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 1760 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 1760 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 1760 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 1760 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 1496 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 1496 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 1496 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 1496 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 1496 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 1496 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 4336 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 4336 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 4336 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 4336 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 4336 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 4336 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 4336 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 4336 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 4336 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe
PID 4336 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\2f683abf-d8f6-4ae1-a1dc-2274929f9016" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/1760-1-0x0000000002560000-0x0000000002601000-memory.dmp

memory/1760-2-0x0000000002650000-0x000000000276B000-memory.dmp

memory/1496-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1496-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1496-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1496-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\2f683abf-d8f6-4ae1-a1dc-2274929f9016\e8e930faa09a1b2a7dd07ba412b70ad8_JaffaCakes118.exe

MD5 e8e930faa09a1b2a7dd07ba412b70ad8
SHA1 1af64e7e5c6cd6a6089196669809f0aac1d89b6b
SHA256 d4cb0f461af9d253c3bd6a808e2a66f49bf9e20af31d789faa682b78887273f3
SHA512 72061072c56fb650de78ea8e54e76be657ccf9dba3fdcf50619072e4774dc95faf8542cb1cd0de4ab933f14d61719a6b7a7cdf3fbe3b22ef34900529fa17d2ff

memory/1496-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4336-18-0x0000000002560000-0x00000000025F9000-memory.dmp

memory/2196-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2196-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2196-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 580071ebd24cccfd9268e1474bb8134e
SHA1 443665efe7009fe1d4c5bc4786dc9cc540e59ef6
SHA256 53e3fd53196b53d23b724612cf2704518edf3e979dca02f5674ac419b5f7b461
SHA512 13d52455d8a30a0af06c420cd01f13f55efc4c55b59883c5208bf4929352e7b783557bff6a157c4fc71a8e7cbfadf00d55eef8ebef4b984624d8feb116a960a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 aa1b1bf5f32d7497f003b6e2d968ef7e
SHA1 051c64148348aaa8861b6f1ce57dd03ae353f50b
SHA256 ebde56dbfd8bc2d8274b6f8770771fbd783e65507bb313eabbd6aca0079fd3dc
SHA512 a719c376e224742b619d15143eee90904f6a56efb078cf352771a260bdcd713b3a11cf7beab797739655dc5489603a712df6ba879b5ad7a9863aaafe98341f93

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 fd0d9758b35237aaa6dad0c2145bf952
SHA1 46851ef8a1dc00af1e1863207b8e6c3a9971e5c7
SHA256 36b2e5f69af1590677d6de5c0dd262431254ecd0e3cd3b7c76167cd407294f80
SHA512 7f73138ebfb43745fb7114ddc2c37de80e6bc3be8caf1ccb87257a445c62d67cf473639524b8dcb8b4c25e4a825a651c09fe37266a560210531867423207fcad

memory/2196-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2196-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2196-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2196-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2196-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2196-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2196-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2196-37-0x0000000000400000-0x0000000000537000-memory.dmp