Malware Analysis Report

2025-06-16 05:07

Sample ID 240409-f114ksff69
Target e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118
SHA256 a4520e17b63c5503219d9c36435b26054ac63e4539883c5244b3129535d82879
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4520e17b63c5503219d9c36435b26054ac63e4539883c5244b3129535d82879

Threat Level: Known bad

The file e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Modifies file permissions

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 05:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 05:21

Reported

2024-04-09 05:23

Platform

win7-20240221-en

Max time kernel

148s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\53b29552-40bb-424c-b5c6-c1f6011e9abf\\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2084 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2084 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2084 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2084 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2084 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2084 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2084 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2084 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2084 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2084 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 1780 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 1780 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 1780 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 1780 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 1780 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 1780 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 1780 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 1780 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2628 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2628 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2628 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2628 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2628 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2628 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2628 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2628 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2628 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2628 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 2628 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\53b29552-40bb-424c-b5c6-c1f6011e9abf" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp

Files

memory/2084-0-0x0000000000230000-0x00000000002C1000-memory.dmp

memory/1780-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2084-4-0x0000000002D00000-0x0000000002E1B000-memory.dmp

memory/1780-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2084-1-0x0000000000230000-0x00000000002C1000-memory.dmp

memory/1780-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1780-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\53b29552-40bb-424c-b5c6-c1f6011e9abf\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe

MD5 e950889fc7f88cbc4408d934e2e220f6
SHA1 cefca2c4538365655cb1eead3f3390313b9ea18a
SHA256 a4520e17b63c5503219d9c36435b26054ac63e4539883c5244b3129535d82879
SHA512 82b07bab3625f0f6abd85f477ebcd6df334ac1f7e9a186dea82e9101c14b4990ad461aa552df27ba3b121b799c2f164335524b1309f7bb96ef1eead5675ad7bb

memory/2628-27-0x00000000002E0000-0x0000000000371000-memory.dmp

memory/1780-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2628-29-0x00000000002E0000-0x0000000000371000-memory.dmp

memory/2428-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2428-35-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2eb6b2da09454ea922752130773add02
SHA1 daf11cda2fc5e53c04beed64adec1c83fb21c242
SHA256 6a6cc07d0c1b46a9d1c971a032006eebcc854b67e440fbb41d0d6c1d93dff406
SHA512 758cd992fd44973d6b13ab085cf3723f03ad3cc18e552379b81800a4c9fc81e843240f1216e6a5d044fe8e08ecae27ba895e54386586f3064bbc2ae555449d18

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 a40e6081ebb759cf5d244fa769fd0d1e
SHA1 ee1cd5aa0506ef5b0a646e375f04d23447f234c6
SHA256 11fe606a81d7fcb159266f6b0871803db54b2451d6030afbfc68b0b2d00f94f1
SHA512 a95dfc4efbc7b3cdd7c8bad13598319ea1c283c448f419ef6730fd231dfb9c80236ad0854adb9d8685427aa34072f7c16a5376b4da3f4f567291cacec4d56aeb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 580071ebd24cccfd9268e1474bb8134e
SHA1 443665efe7009fe1d4c5bc4786dc9cc540e59ef6
SHA256 53e3fd53196b53d23b724612cf2704518edf3e979dca02f5674ac419b5f7b461
SHA512 13d52455d8a30a0af06c420cd01f13f55efc4c55b59883c5208bf4929352e7b783557bff6a157c4fc71a8e7cbfadf00d55eef8ebef4b984624d8feb116a960a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 dee0d584312b1218b8c25a1025e361c7
SHA1 7d66aa421782438a997e6b3781c96869f692df14
SHA256 613972f1636eecce1563f567a29b049735b496eb82d44566e40f89df64901d9f
SHA512 9ed20ac5fa9ce8e6e46edc641e0103cd96c42df8156238102b0b2874d221c7e1c71d4e7bdc47ddabb687d211c3d9c0ebc8a83592caa1a4935d05f8f430d5b121

C:\Users\Admin\AppData\Local\Temp\Cab225F.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2428-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2428-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2428-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2428-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2428-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2428-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2428-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2428-58-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 05:21

Reported

2024-04-09 05:23

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\83424aee-9955-4559-b024-016c853d1f90\\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3864 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 3864 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 3864 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 3864 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 3864 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 3864 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 3864 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 3864 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 3864 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 3864 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 5020 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 5020 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 5020 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 5020 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 5020 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 5020 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 1188 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 1188 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 1188 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 1188 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 1188 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 1188 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 1188 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 1188 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 1188 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe
PID 1188 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\83424aee-9955-4559-b024-016c853d1f90" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3864-1-0x0000000003300000-0x0000000003399000-memory.dmp

memory/3864-2-0x00000000033A0000-0x00000000034BB000-memory.dmp

memory/5020-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5020-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5020-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5020-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\83424aee-9955-4559-b024-016c853d1f90\e950889fc7f88cbc4408d934e2e220f6_JaffaCakes118.exe

MD5 e950889fc7f88cbc4408d934e2e220f6
SHA1 cefca2c4538365655cb1eead3f3390313b9ea18a
SHA256 a4520e17b63c5503219d9c36435b26054ac63e4539883c5244b3129535d82879
SHA512 82b07bab3625f0f6abd85f477ebcd6df334ac1f7e9a186dea82e9101c14b4990ad461aa552df27ba3b121b799c2f164335524b1309f7bb96ef1eead5675ad7bb

memory/5020-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1188-19-0x0000000002FE0000-0x0000000003073000-memory.dmp

memory/3968-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3968-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3968-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 0cb61ca512884acf25d2ebbda01513ce
SHA1 41ebe16290aaa63ab7cf9b7f90b8f828524bd9c6
SHA256 bae7842eb139a77a8a8fe83438c2935f9debaed3bc8db5e25e8fd4e32a0606f8
SHA512 ae5fe9dbb980bb6d824d1edeb08da551d63cd7314cb7b6b2937f5b934962865baf52038d6902dbe00a551a6e44eb57136a047c77f6cc63ee6b5453ed6d782c5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 580071ebd24cccfd9268e1474bb8134e
SHA1 443665efe7009fe1d4c5bc4786dc9cc540e59ef6
SHA256 53e3fd53196b53d23b724612cf2704518edf3e979dca02f5674ac419b5f7b461
SHA512 13d52455d8a30a0af06c420cd01f13f55efc4c55b59883c5208bf4929352e7b783557bff6a157c4fc71a8e7cbfadf00d55eef8ebef4b984624d8feb116a960a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 02fc04a05f0ab5b286ca315ccd1d0afc
SHA1 8922bf13880c9ae26a18fec2585fb90baaefa97c
SHA256 80ccbc092f36b25cd6140e6aac7716db1bb0ad0f95d7d3eddf9c0d808360c760
SHA512 91bd335b6845756586b0f7c630d5ead7fe3a4ce9c8581b1541436c4399ac00c52a80ed471c7d04207ebafab62b99668724c0fc60a552f223f3309edddcfffa21

memory/3968-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3968-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3968-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3968-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3968-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3968-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3968-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3968-37-0x0000000000400000-0x0000000000537000-memory.dmp