Malware Analysis Report

2025-06-16 05:07

Sample ID 240409-ltcqasfc6t
Target e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118
SHA256 76ee80e6da636e1751c2a9d7c7d4f18e3068babd79d8333961eaee1bca7c50e6
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76ee80e6da636e1751c2a9d7c7d4f18e3068babd79d8333961eaee1bca7c50e6

Threat Level: Known bad

The file e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Modifies file permissions

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 09:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 09:49

Reported

2024-04-09 09:51

Platform

win7-20240221-en

Max time kernel

147s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8bebaf58-452d-4677-88a1-31d25f05eec3\\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2264 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2264 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2264 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2264 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2264 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2264 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2264 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2264 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2264 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2264 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2060 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2060 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2060 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2060 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2060 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2060 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2060 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2060 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\8bebaf58-452d-4677-88a1-31d25f05eec3" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp

Files

memory/2264-0-0x0000000002D90000-0x0000000002E21000-memory.dmp

memory/2264-1-0x0000000002D90000-0x0000000002E21000-memory.dmp

memory/2264-2-0x0000000004570000-0x000000000468B000-memory.dmp

memory/2060-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2060-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2264-7-0x0000000002D90000-0x0000000002E21000-memory.dmp

memory/2060-8-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2060-9-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\8bebaf58-452d-4677-88a1-31d25f05eec3\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe

MD5 e9b7be0e8c22db244de8af36e27a659d
SHA1 4161eac953f65889890904479e43333e3969f409
SHA256 76ee80e6da636e1751c2a9d7c7d4f18e3068babd79d8333961eaee1bca7c50e6
SHA512 9863c1b1841c692f5206372763a62eace87e1a85a295c7acfa6e6dfc59b7d1531d56cb2e0a7886f0eb2c08824a4c9fd789866f2a1f353a4b867b57d7f74cc001

memory/2680-28-0x0000000000310000-0x00000000003A1000-memory.dmp

memory/2060-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2680-30-0x0000000000310000-0x00000000003A1000-memory.dmp

memory/2520-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2680-35-0x0000000000310000-0x00000000003A1000-memory.dmp

memory/2520-37-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 4f6074e118eca3b7d2b9dde584fda425
SHA1 cb19ecfc549a160250aebd267619a0517b8a281b
SHA256 72ec2fc190c6f2cb5321557e17da8b230fc3f1e8476aedd16f7dfc509845c575
SHA512 edeeeff38c305fa6384a901c82af7be9e6daeaa0ca3541b5b2dbf2ae06e584d093f7a9948afb9e5ee8b1a2691f805f34388f9d9c99b85da099bb5af91a454bc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fc5408c48a55314c72e200b74330cac4
SHA1 7e8889ec3189a40e6078088927bf3612753fa628
SHA256 7ea2a016d97635b1367455af2250cbf9e9c34d293829d11fc21ce905347590c4
SHA512 481753ef755c188012919ea728ea0395f22b6ce83f2f9a11675be6072f154db141b2382dc62ad7c3c95e36596529176a66f40e3d118cf0e33ea8e6f716ae1d77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 4fcb6324d0cc5736a4588f0a17c14e73
SHA1 1516061eb49782fda52919dcfab0b94f4354b5a5
SHA256 f606eedd481682329eb3011db4093f420cf6794a61e8979f035b67b2928efba8
SHA512 29df5b20506e99f772d4ddb756272f38107d23746e41cda70f4dd8978f74460c6bddff4be33652691e333da078d758bcf775187c77376346ae9efa6a9c4cbe83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 654f82f1f74ef36efe622405a0f54c77
SHA1 d1ebc46cc9032e97e9b0e1f6501f54a62ecc0f06
SHA256 2b9461f2557dcd0d2d9703faf0eb66c7de4d70b6bd0c7a59c6ea0eed591e8925
SHA512 a3a1f6a7db33b6dd8a6ae5e33089344044094328b40431d3c42748d1b5a6d8e884aba982e1291311960b81ce52a2a4380cfe3e990624b6eb7b0b3460d1e43591

C:\Users\Admin\AppData\Local\Temp\Cab27AC.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2520-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2520-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2520-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2520-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2520-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2520-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2520-59-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2520-60-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 09:49

Reported

2024-04-09 09:51

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2e0a74d6-697e-4453-8ee0-5abc3639c582\\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2928 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2928 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2928 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2928 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2928 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2928 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2928 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2928 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2928 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2928 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2244 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2244 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2244 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2244 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2244 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 2244 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 1960 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 1960 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 1960 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 1960 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 1960 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 1960 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 1960 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 1960 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 1960 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe
PID 1960 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\2e0a74d6-697e-4453-8ee0-5abc3639c582" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 81.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 214.80.50.20.in-addr.arpa udp

Files

memory/2928-1-0x0000000004AA0000-0x0000000004B33000-memory.dmp

memory/2928-2-0x0000000004BE0000-0x0000000004CFB000-memory.dmp

memory/2244-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2244-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2244-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2244-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\2e0a74d6-697e-4453-8ee0-5abc3639c582\e9b7be0e8c22db244de8af36e27a659d_JaffaCakes118.exe

MD5 e9b7be0e8c22db244de8af36e27a659d
SHA1 4161eac953f65889890904479e43333e3969f409
SHA256 76ee80e6da636e1751c2a9d7c7d4f18e3068babd79d8333961eaee1bca7c50e6
SHA512 9863c1b1841c692f5206372763a62eace87e1a85a295c7acfa6e6dfc59b7d1531d56cb2e0a7886f0eb2c08824a4c9fd789866f2a1f353a4b867b57d7f74cc001

memory/2244-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1960-18-0x00000000047F0000-0x0000000004885000-memory.dmp

memory/3112-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3112-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3112-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fc5408c48a55314c72e200b74330cac4
SHA1 7e8889ec3189a40e6078088927bf3612753fa628
SHA256 7ea2a016d97635b1367455af2250cbf9e9c34d293829d11fc21ce905347590c4
SHA512 481753ef755c188012919ea728ea0395f22b6ce83f2f9a11675be6072f154db141b2382dc62ad7c3c95e36596529176a66f40e3d118cf0e33ea8e6f716ae1d77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 0adb9743df5d307aefcb29770618facb
SHA1 fc21e18b0f37b106f360ea59fc99f4624981387c
SHA256 4dea5312eea6e8b893029b22758170c8cec558fe05902848a9a9445f9b0f9c0f
SHA512 8c6e2df1915538b1769d524366d3db2c16321899e55ae74fc776a4f97793d6b68bc4db10b9cb1166adc5816a4c2a86cf6aaa3751745541d35793d34f9389e4d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d078ea4c02e5089e9b92bd62e9dedab3
SHA1 abac8c060bf17059915cc8f27c04ff70876e8c8e
SHA256 c3f8a299f7b7ae86d7bc4e1f6c77f78b406fe4e3d874ca4e53748dcabd613843
SHA512 f5ebcb741600b12c7523fcec38527c1703249d5620a93698ad294bc4fa638d9fd22294abd092edf501ed175105e198776494c1d847748c367786b0c7d99eed3e

memory/3112-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3112-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3112-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3112-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3112-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3112-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3112-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3112-37-0x0000000000400000-0x0000000000537000-memory.dmp