Malware Analysis Report

2025-01-18 21:41

Sample ID 240415-f35vjsff74
Target f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118
SHA256 def88cd2ce3ab3e358aa9f6cb73e5eef7de3c753c2b1b3bac6269ec19fbf288c
Tags
upx adware discovery persistence stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

def88cd2ce3ab3e358aa9f6cb73e5eef7de3c753c2b1b3bac6269ec19fbf288c

Threat Level: Likely malicious

The file f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

upx adware discovery persistence stealer

Adds policy Run key to start application

Checks computer location settings

Loads dropped DLL

Deletes itself

Executes dropped EXE

UPX packed file

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 05:24

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 05:24

Reported

2024-04-15 05:27

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run C:\Program Files (x86)\Internet Security\isamntr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\user32.dll = "C:\\Program Files (x86)\\Internet Security\\isamntr.exe" C:\Program Files (x86)\Internet Security\isamntr.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6ACAE64-F798-4930-AD86-BD3FB32038DB} C:\Program Files (x86)\Internet Security\isamntr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\ C:\Program Files (x86)\Internet Security\isamntr.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Internet Security\isamntr.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Security\isamntr.exe C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Internet Security\isunst.exe C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Internet Security\isadd.dll C:\Program Files (x86)\Internet Security\isamntr.exe N/A
File created C:\Program Files (x86)\Internet Security\isamini.exe C:\Program Files (x86)\Internet Security\isamntr.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Search C:\Program Files (x86)\Internet Security\isamntr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Security\isamntr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB} C:\Program Files (x86)\Internet Security\isamntr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\ C:\Program Files (x86)\Internet Security\isamntr.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32 C:\Program Files (x86)\Internet Security\isamntr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Security\\isadd.dll" C:\Program Files (x86)\Internet Security\isamntr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Internet Security\isamntr.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Internet Security\isamntr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe C:\Program Files (x86)\Internet Security\isamntr.exe
PID 2204 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe C:\Program Files (x86)\Internet Security\isamntr.exe
PID 2204 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe C:\Program Files (x86)\Internet Security\isamntr.exe
PID 2204 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe C:\Program Files (x86)\Internet Security\isamntr.exe
PID 1128 wrote to memory of 2680 N/A C:\Program Files (x86)\Internet Security\isamntr.exe C:\Program Files (x86)\Internet Security\isamini.exe
PID 1128 wrote to memory of 2680 N/A C:\Program Files (x86)\Internet Security\isamntr.exe C:\Program Files (x86)\Internet Security\isamini.exe
PID 1128 wrote to memory of 2680 N/A C:\Program Files (x86)\Internet Security\isamntr.exe C:\Program Files (x86)\Internet Security\isamini.exe
PID 1128 wrote to memory of 2680 N/A C:\Program Files (x86)\Internet Security\isamntr.exe C:\Program Files (x86)\Internet Security\isamini.exe
PID 2204 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe"

C:\Program Files (x86)\Internet Security\isamntr.exe

"C:\Program Files (x86)\Internet Security\isamntr.exe"

C:\Program Files (x86)\Internet Security\isamini.exe

"C:\Program Files (x86)\Internet Security\isamini.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F06A37~1.EXE > nul

Network

N/A

Files

memory/2204-0-0x0000000000400000-0x0000000000419000-memory.dmp

\Program Files (x86)\Internet Security\isamntr.exe

MD5 791dce91546dee755a7b00770f78c616
SHA1 768661283866843df31dd40f9192aba8a379e0fd
SHA256 ffa369b3138b4d9d8707f9c494f254a8a5c6e67c2fd0ebcb1ebe643dc95e153a
SHA512 069b7e663858bac0479d36dadb8c6a68d56a7f60bcc981248b515dec0a4e4edc77ffdb8d74545e59a556cd4745dc27ad7ae02c60963d89addfe1a4d5fb8845f9

\Program Files (x86)\Internet Security\isadd.dll

MD5 c3aba1388c6f0e377325b3bece5acf26
SHA1 6322d51f910706279ec15ac40452e9103e38013f
SHA256 374a359d5498fa74bd7c61aaeb5cfed50693f5f08b3f9c5a7ebb08204cc995b1
SHA512 838c94fc418567c26c7d62cae61a66a825211e74d99e4afad8d4db461f35f2d5b52580bfef8e4e70f37beadd7db387725854bf39d60cd128bfde3c26ffeeaa3b

\Program Files (x86)\Internet Security\isamini.exe

MD5 4faf36a30d06189d4636de34ca4af4a2
SHA1 c5edfd714b74300894456b97044320003ec1c58b
SHA256 31d6bf2ffef30e3e4f1f1a9dbb7f57e6b6eec7ed0b84719d5bf0a680631045fc
SHA512 918edade94444b2632614eb9a021b89a61a070ad631ec4c3972cbea8f110c09a03838ccd09de2d678a1a3b96aef52191367aeff6bb6812555b542aa21319ae59

memory/2204-21-0x0000000000400000-0x0000000000419000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 05:24

Reported

2024-04-15 05:27

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run C:\Program Files (x86)\Internet Security\isamntr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\user32.dll = "C:\\Program Files (x86)\\Internet Security\\isamntr.exe" C:\Program Files (x86)\Internet Security\isamntr.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6ACAE64-F798-4930-AD86-BD3FB32038DB} C:\Program Files (x86)\Internet Security\isamntr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\ C:\Program Files (x86)\Internet Security\isamntr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Internet Security\isamntr.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Security\isamini.exe C:\Program Files (x86)\Internet Security\isamntr.exe N/A
File created C:\Program Files (x86)\Internet Security\isamntr.exe C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Internet Security\isadd.dll C:\Program Files (x86)\Internet Security\isamntr.exe N/A
File created C:\Program Files (x86)\Internet Security\isunst.exe C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\Search C:\Program Files (x86)\Internet Security\isamntr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Security\isamntr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB} C:\Program Files (x86)\Internet Security\isamntr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\ C:\Program Files (x86)\Internet Security\isamntr.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32 C:\Program Files (x86)\Internet Security\isamntr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Security\\isadd.dll" C:\Program Files (x86)\Internet Security\isamntr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Internet Security\isamntr.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID C:\Program Files (x86)\Internet Security\isamntr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamini.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A
N/A N/A C:\Program Files (x86)\Internet Security\isamntr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe"

C:\Program Files (x86)\Internet Security\isamntr.exe

"C:\Program Files (x86)\Internet Security\isamntr.exe"

C:\Program Files (x86)\Internet Security\isamini.exe

"C:\Program Files (x86)\Internet Security\isamini.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F06A37~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/3620-0-0x0000000000400000-0x0000000000419000-memory.dmp

C:\Program Files (x86)\Internet Security\isamntr.exe

MD5 791dce91546dee755a7b00770f78c616
SHA1 768661283866843df31dd40f9192aba8a379e0fd
SHA256 ffa369b3138b4d9d8707f9c494f254a8a5c6e67c2fd0ebcb1ebe643dc95e153a
SHA512 069b7e663858bac0479d36dadb8c6a68d56a7f60bcc981248b515dec0a4e4edc77ffdb8d74545e59a556cd4745dc27ad7ae02c60963d89addfe1a4d5fb8845f9

C:\Program Files (x86)\Internet Security\isadd.dll

MD5 c3aba1388c6f0e377325b3bece5acf26
SHA1 6322d51f910706279ec15ac40452e9103e38013f
SHA256 374a359d5498fa74bd7c61aaeb5cfed50693f5f08b3f9c5a7ebb08204cc995b1
SHA512 838c94fc418567c26c7d62cae61a66a825211e74d99e4afad8d4db461f35f2d5b52580bfef8e4e70f37beadd7db387725854bf39d60cd128bfde3c26ffeeaa3b

C:\Program Files (x86)\Internet Security\isamini.exe

MD5 4faf36a30d06189d4636de34ca4af4a2
SHA1 c5edfd714b74300894456b97044320003ec1c58b
SHA256 31d6bf2ffef30e3e4f1f1a9dbb7f57e6b6eec7ed0b84719d5bf0a680631045fc
SHA512 918edade94444b2632614eb9a021b89a61a070ad631ec4c3972cbea8f110c09a03838ccd09de2d678a1a3b96aef52191367aeff6bb6812555b542aa21319ae59

memory/3620-14-0x0000000000400000-0x0000000000419000-memory.dmp