Malware Analysis Report

2024-08-06 17:38

Sample ID 240412-djsd1agd6s
Target eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118
SHA256 862bf290697cfbd5cb41966b550e8b163aac94d6e07461c6e4353ea6fad62e83
Tags
xpertrat evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

862bf290697cfbd5cb41966b550e8b163aac94d6e07461c6e4353ea6fad62e83

Threat Level: Known bad

The file eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xpertrat evasion persistence rat trojan

UAC bypass

XpertRAT

Windows security bypass

Adds policy Run key to start application

Deletes itself

Windows security modification

Checks computer location settings

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System policy modification

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-12 03:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-12 03:02

Reported

2024-04-12 03:05

Platform

win7-20231129-en

Max time kernel

132s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A

XpertRAT

rat xpertrat

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2868 set thread context of 988 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 988 set thread context of 1960 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 988 set thread context of 1672 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2868 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName youtube.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName facebook.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName outlook.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Windows\SysWOW64\notepad.exe

notepad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 bing.com udp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
NL 2.56.57.193:4000 kapasky-antivirus.firewall-gateway.net tcp
NL 2.56.57.193:4000 kapasky-antivirus.firewall-gateway.net tcp
NL 2.56.57.193:4000 kapasky-antivirus.firewall-gateway.net tcp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
NL 2.56.57.193:4000 kapasky-antivirus.firewall-gateway.net tcp
NL 2.56.57.193:4000 kapasky-antivirus.firewall-gateway.net tcp
NL 2.56.57.193:4000 kapasky-antivirus.firewall-gateway.net tcp

Files

memory/2868-1-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/2868-0-0x0000000000160000-0x000000000024A000-memory.dmp

memory/2868-2-0x0000000004CC0000-0x0000000004D00000-memory.dmp

memory/2864-5-0x000000006F180000-0x000000006F72B000-memory.dmp

memory/2864-6-0x000000006F180000-0x000000006F72B000-memory.dmp

memory/2864-7-0x00000000001E0000-0x0000000000220000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 96eefb5a06125f06011190963e524e3e
SHA1 78249fea1b39f607c47bdc5b187d92ef83f91d50
SHA256 c7254beb881c3ff0f433cdff3981f03d84250a88a1d5436e048570bc19b42ce6
SHA512 237765a2a8513efc1b98d7d39994357ca4ba217ec3695078c09e5db90f54f7a0bed6ed14686f8be39062dc955e2f34f918b0c9f8fc1a4c7918db5111a0d28269

memory/2760-13-0x000000006F180000-0x000000006F72B000-memory.dmp

memory/2760-14-0x000000006F180000-0x000000006F72B000-memory.dmp

memory/2760-15-0x00000000029B0000-0x00000000029F0000-memory.dmp

memory/2864-21-0x000000006F180000-0x000000006F72B000-memory.dmp

memory/2676-22-0x000000006F180000-0x000000006F72B000-memory.dmp

memory/2676-23-0x000000006F180000-0x000000006F72B000-memory.dmp

memory/2760-24-0x000000006F180000-0x000000006F72B000-memory.dmp

memory/3036-30-0x000000006F180000-0x000000006F72B000-memory.dmp

memory/3036-31-0x000000006F180000-0x000000006F72B000-memory.dmp

memory/3036-32-0x00000000029C0000-0x0000000002A00000-memory.dmp

memory/2676-33-0x000000006F180000-0x000000006F72B000-memory.dmp

memory/3036-34-0x000000006F180000-0x000000006F72B000-memory.dmp

memory/1568-41-0x000000006EEB0000-0x000000006F45B000-memory.dmp

memory/1568-40-0x000000006EEB0000-0x000000006F45B000-memory.dmp

memory/1568-42-0x000000006EEB0000-0x000000006F45B000-memory.dmp

memory/2868-43-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/1568-44-0x000000006EEB0000-0x000000006F45B000-memory.dmp

memory/2868-50-0x0000000004CC0000-0x0000000004D00000-memory.dmp

memory/2724-51-0x000000006F150000-0x000000006F6FB000-memory.dmp

memory/2724-53-0x0000000002B00000-0x0000000002B40000-memory.dmp

memory/2724-52-0x000000006F150000-0x000000006F6FB000-memory.dmp

memory/2724-54-0x000000006F150000-0x000000006F6FB000-memory.dmp

memory/2868-55-0x0000000007D60000-0x0000000007DBA000-memory.dmp

memory/2868-56-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-71-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-69-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-75-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-73-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-67-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-65-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-83-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-89-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-87-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-85-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-81-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-79-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-77-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-63-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-61-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-59-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-57-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-91-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-93-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-105-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-103-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-117-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-119-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-115-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-113-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-111-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-109-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-107-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-101-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-99-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-97-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-95-0x0000000007D60000-0x0000000007DB5000-memory.dmp

memory/2868-154-0x00000000046D0000-0x00000000046FE000-memory.dmp

memory/2868-162-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/988-165-0x0000000000400000-0x000000000042C000-memory.dmp

memory/988-175-0x0000000000400000-0x000000000042C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-12 03:02

Reported

2024-04-12 03:05

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A

XpertRAT

rat xpertrat

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 516 set thread context of 2992 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2992 set thread context of 3696 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 516 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 516 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 516 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 516 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 516 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 516 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 516 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 516 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2992 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2992 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2992 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2992 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2992 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2992 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2992 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2992 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3696 wrote to memory of 4780 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 3696 wrote to memory of 4780 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 3696 wrote to memory of 4780 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 3696 wrote to memory of 4780 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName youtube.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName facebook.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName outlook.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Windows\SysWOW64\notepad.exe

notepad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 bing.com udp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
NL 2.56.57.193:4000 kapasky-antivirus.firewall-gateway.net tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 2.56.57.193:4000 kapasky-antivirus.firewall-gateway.net tcp
NL 2.56.57.193:4000 kapasky-antivirus.firewall-gateway.net tcp
NL 52.111.243.29:443 tcp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
NL 2.56.57.193:4000 kapasky-antivirus.firewall-gateway.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
NL 2.56.57.193:4000 kapasky-antivirus.firewall-gateway.net tcp
NL 2.56.57.193:4000 kapasky-antivirus.firewall-gateway.net tcp
US 8.8.8.8:53 2.17.178.52.in-addr.arpa udp

Files

memory/516-0-0x0000000000FC0000-0x00000000010AA000-memory.dmp

memory/516-1-0x0000000074990000-0x0000000075140000-memory.dmp

memory/516-2-0x0000000005F70000-0x0000000006514000-memory.dmp

memory/516-3-0x0000000005A60000-0x0000000005AF2000-memory.dmp

memory/516-4-0x0000000005C40000-0x0000000005C50000-memory.dmp

memory/516-5-0x0000000005C00000-0x0000000005C0A000-memory.dmp

memory/2776-6-0x00000000046C0000-0x00000000046F6000-memory.dmp

memory/2776-7-0x0000000074990000-0x0000000075140000-memory.dmp

memory/2776-8-0x0000000002360000-0x0000000002370000-memory.dmp

memory/2776-9-0x0000000002360000-0x0000000002370000-memory.dmp

memory/2776-10-0x0000000004D30000-0x0000000005358000-memory.dmp

memory/2776-11-0x0000000004CB0000-0x0000000004CD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4i3xik4n.vmm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2776-17-0x0000000005490000-0x00000000054F6000-memory.dmp

memory/2776-22-0x0000000005600000-0x0000000005666000-memory.dmp

memory/2776-23-0x0000000005890000-0x0000000005BE4000-memory.dmp

memory/2776-24-0x0000000005C50000-0x0000000005C6E000-memory.dmp

memory/2776-25-0x0000000005D00000-0x0000000005D4C000-memory.dmp

memory/2776-26-0x0000000006C40000-0x0000000006CD6000-memory.dmp

memory/2776-27-0x0000000006160000-0x000000000617A000-memory.dmp

memory/2776-28-0x00000000061B0000-0x00000000061D2000-memory.dmp

memory/1100-30-0x0000000074990000-0x0000000075140000-memory.dmp

memory/2776-29-0x0000000007EC0000-0x000000000853A000-memory.dmp

memory/1100-31-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/1100-32-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/3636-42-0x0000000074990000-0x0000000075140000-memory.dmp

memory/3636-43-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

memory/2776-55-0x0000000074990000-0x0000000075140000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6832ae680e8ddacc9752c84ff4ee94d5
SHA1 eba38e3a46f6a27ec29c567c6766ba57fe7954ba
SHA256 19c4f3bc855b449022b1baf50569236e2d844e3f323453291495de125f76e632
SHA512 9cea7dcd3b0bf6bb6c1fd15aea43312cb52926e2e61455fcb26a6dd82323e352b9960f4afe412891be2aba54230ef354772e5397df8c6100e5aab875247fa1ef

memory/212-57-0x0000000074990000-0x0000000075140000-memory.dmp

memory/212-58-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/212-59-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8da66ef0fa38c048096d08c341447d03
SHA1 9e517cd043300c581fb6ab6954a7364a257c5b39
SHA256 cb65334142c18890d1455b49276f5d8e7a8031f2d3a5448b706fde94ac53edbe
SHA512 5fb61ac16678a5508c593a639f74d20239e64b82ce3db138e03b27152b76729f56507145eb63643b3142990c30259912c00abed8e20a8242716d836315a05c2a

memory/1100-71-0x0000000074990000-0x0000000075140000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2d2b455c6a8237ce2aaee586cdacc62c
SHA1 efa0fe319afed0120c9288359b9c9cf2c0506b82
SHA256 bb5d4ac648c15d3b980cdfb864695aeb41a022d03845912c54f203e15c214fba
SHA512 09fd7aeb6da862bf76b501639f98bad618e0a012d1728d0d8533a247bbbd2c56e9a859a736dc1dcd0990ab9aee51b0bdb57b56aea53bb708163e0a7a2eb5fc06

memory/3636-74-0x0000000074990000-0x0000000075140000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b76f98cd589de607d62509ef4ad2b28
SHA1 3c184892aac8cd6fd381f1fd3f45e81d96de659b
SHA256 61ad8ba902292f9cc5c3d8ad6346a73989db9657a6b6f9b4c55a48a752aac853
SHA512 69e108abdaf7bdb019f4f7f2eab060936242b9019bf3a88ffd7a7e8c1c01bf92961fad3fdb23e6675d743ca609936a6764b1db6d1411e3a9fd1bd6a82ac19b88

memory/212-77-0x0000000074990000-0x0000000075140000-memory.dmp

memory/404-78-0x0000000074990000-0x0000000075140000-memory.dmp

memory/404-79-0x0000000004870000-0x0000000004880000-memory.dmp

memory/404-80-0x0000000004870000-0x0000000004880000-memory.dmp

memory/516-81-0x0000000074990000-0x0000000075140000-memory.dmp

memory/404-93-0x0000000074990000-0x0000000075140000-memory.dmp

memory/516-104-0x0000000005C40000-0x0000000005C50000-memory.dmp

memory/3100-105-0x0000000006300000-0x0000000006654000-memory.dmp

memory/3100-94-0x0000000074990000-0x0000000075140000-memory.dmp

memory/3100-106-0x0000000005330000-0x0000000005340000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4dfc4cf6e29e679e7e33f20a78a44924
SHA1 ee6a2df9efcc4ae70b896f7a498b75d5032ad74c
SHA256 44c9d00c914783cd7168f12f50628d936c07964449051a2e582b49946b1f0549
SHA512 f21233f2fb0f891d9d2fce8cc89c8bf5d44ec9c8e46c4751c25fb39effd22a219c0d4b4259191ec34f0ea3e89ab138262b4456633f926d0123e970e2105b8444

memory/3100-109-0x0000000074990000-0x0000000075140000-memory.dmp

memory/516-110-0x0000000006C90000-0x0000000006CEA000-memory.dmp

memory/516-111-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-114-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-112-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-126-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-124-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-122-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-128-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-120-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-130-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-118-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-132-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-116-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-134-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-148-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-146-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-150-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-144-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-142-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-152-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-140-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-138-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-154-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-136-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-162-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-164-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-160-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-158-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-166-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-156-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-168-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-170-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-174-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-172-0x0000000006C90000-0x0000000006CE5000-memory.dmp

memory/516-209-0x0000000006DB0000-0x0000000006E26000-memory.dmp

memory/516-210-0x0000000006F80000-0x0000000006FAE000-memory.dmp

memory/516-211-0x00000000070B0000-0x00000000070CE000-memory.dmp

memory/516-216-0x0000000074990000-0x0000000075140000-memory.dmp

memory/2992-217-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2992-227-0x0000000000400000-0x000000000042C000-memory.dmp