Malware Analysis Report

2025-01-03 08:11

Sample ID 240419-f7pn5aba8w
Target f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118
SHA256 81891f4658e178e464c7f5eb6e0fe3941bbee6b5516ce07286e94d73ab42e99a
Tags
metasploit backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

81891f4658e178e464c7f5eb6e0fe3941bbee6b5516ce07286e94d73ab42e99a

Threat Level: Known bad

The file f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan

MetaSploit

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-19 05:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 05:31

Reported

2024-04-19 05:33

Platform

win7-20240221-en

Max time kernel

139s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
PID 3008 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
PID 3008 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
PID 3008 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
PID 3008 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
PID 3008 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
PID 3008 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
PID 3008 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
PID 3008 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
PID 2072 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Windows\SysWOW64\winIogon.exe
PID 2072 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Windows\SysWOW64\winIogon.exe
PID 2072 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Windows\SysWOW64\winIogon.exe
PID 2072 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Windows\SysWOW64\winIogon.exe
PID 2608 wrote to memory of 2524 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2608 wrote to memory of 2524 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2608 wrote to memory of 2524 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2608 wrote to memory of 2524 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2608 wrote to memory of 2524 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2608 wrote to memory of 2524 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2608 wrote to memory of 2524 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2608 wrote to memory of 2524 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2608 wrote to memory of 2524 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2524 wrote to memory of 2452 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2524 wrote to memory of 2452 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2524 wrote to memory of 2452 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2524 wrote to memory of 2452 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2452 wrote to memory of 2900 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2452 wrote to memory of 2900 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2452 wrote to memory of 2900 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2452 wrote to memory of 2900 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2452 wrote to memory of 2900 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2452 wrote to memory of 2900 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2452 wrote to memory of 2900 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2452 wrote to memory of 2900 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2452 wrote to memory of 2900 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2900 wrote to memory of 568 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2900 wrote to memory of 568 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2900 wrote to memory of 568 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2900 wrote to memory of 568 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 568 wrote to memory of 2580 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 568 wrote to memory of 2580 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 568 wrote to memory of 2580 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 568 wrote to memory of 2580 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 568 wrote to memory of 2580 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 568 wrote to memory of 2580 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 568 wrote to memory of 2580 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 568 wrote to memory of 2580 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 568 wrote to memory of 2580 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2580 wrote to memory of 368 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2580 wrote to memory of 368 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2580 wrote to memory of 368 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2580 wrote to memory of 368 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 368 wrote to memory of 2664 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 368 wrote to memory of 2664 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 368 wrote to memory of 2664 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 368 wrote to memory of 2664 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 368 wrote to memory of 2664 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 368 wrote to memory of 2664 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 368 wrote to memory of 2664 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 368 wrote to memory of 2664 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 368 wrote to memory of 2664 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2664 wrote to memory of 1320 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2664 wrote to memory of 1320 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2664 wrote to memory of 1320 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 472 "C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 504 "C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 504 "C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 504 "C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 504 "C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 504 "C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 504 "C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 504 "C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 504 "C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 508 "C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

Network

N/A

Files

memory/2072-2-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2072-4-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2072-6-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2072-8-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2072-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2072-12-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2072-14-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2072-15-0x0000000000400000-0x000000000048B000-memory.dmp

\Windows\SysWOW64\winIogon.exe

MD5 f99b3b75f86bb6e275b7500fefe178ef
SHA1 b31f72450b435373e6a1d2d77092d0cc33d7580a
SHA256 81891f4658e178e464c7f5eb6e0fe3941bbee6b5516ce07286e94d73ab42e99a
SHA512 3441cf5b34e52cef448a4b0b06cb1cac58de26ce4ed7bea8c93d5bd5f1090e150c86d400dcbda0dda51468592388e6ae4531e5d519ed3e779724d40caba6c58c

memory/2072-43-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2524-46-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2900-68-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2900-70-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2580-91-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2664-114-0x0000000000400000-0x000000000048B000-memory.dmp

memory/1536-137-0x0000000000400000-0x000000000048B000-memory.dmp

memory/1716-162-0x0000000000400000-0x000000000048B000-memory.dmp

memory/1536-161-0x0000000000400000-0x000000000048B000-memory.dmp

memory/752-184-0x0000000000400000-0x000000000048B000-memory.dmp

memory/3036-207-0x0000000000400000-0x000000000048B000-memory.dmp

memory/752-209-0x0000000000400000-0x000000000048B000-memory.dmp

memory/3036-232-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2532-233-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2420-254-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2532-257-0x0000000000400000-0x000000000048B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 05:31

Reported

2024-04-19 05:33

Platform

win10v2004-20240412-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File created C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A
File opened for modification C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2608 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
PID 2608 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
PID 2608 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
PID 2608 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
PID 2608 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
PID 2608 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
PID 2608 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
PID 2608 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe
PID 2136 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Windows\SysWOW64\winIogon.exe
PID 2136 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Windows\SysWOW64\winIogon.exe
PID 2136 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe C:\Windows\SysWOW64\winIogon.exe
PID 3940 wrote to memory of 2416 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3940 wrote to memory of 2416 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3940 wrote to memory of 2416 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3940 wrote to memory of 2416 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3940 wrote to memory of 2416 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3940 wrote to memory of 2416 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3940 wrote to memory of 2416 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3940 wrote to memory of 2416 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2416 wrote to memory of 492 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2416 wrote to memory of 492 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2416 wrote to memory of 492 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 492 wrote to memory of 452 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 492 wrote to memory of 452 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 492 wrote to memory of 452 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 492 wrote to memory of 452 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 492 wrote to memory of 452 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 492 wrote to memory of 452 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 492 wrote to memory of 452 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 492 wrote to memory of 452 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 452 wrote to memory of 4968 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 452 wrote to memory of 4968 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 452 wrote to memory of 4968 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 4968 wrote to memory of 2648 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 4968 wrote to memory of 2648 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 4968 wrote to memory of 2648 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 4968 wrote to memory of 2648 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 4968 wrote to memory of 2648 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 4968 wrote to memory of 2648 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 4968 wrote to memory of 2648 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 4968 wrote to memory of 2648 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2648 wrote to memory of 3152 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2648 wrote to memory of 3152 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2648 wrote to memory of 3152 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3152 wrote to memory of 1780 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3152 wrote to memory of 1780 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3152 wrote to memory of 1780 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3152 wrote to memory of 1780 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3152 wrote to memory of 1780 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3152 wrote to memory of 1780 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3152 wrote to memory of 1780 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3152 wrote to memory of 1780 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 1780 wrote to memory of 3004 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 1780 wrote to memory of 3004 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 1780 wrote to memory of 3004 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3004 wrote to memory of 2564 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3004 wrote to memory of 2564 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3004 wrote to memory of 2564 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3004 wrote to memory of 2564 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3004 wrote to memory of 2564 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3004 wrote to memory of 2564 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3004 wrote to memory of 2564 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 3004 wrote to memory of 2564 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe
PID 2564 wrote to memory of 2164 N/A C:\Windows\SysWOW64\winIogon.exe C:\Windows\SysWOW64\winIogon.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 972 "C:\Users\Admin\AppData\Local\Temp\f99b3b75f86bb6e275b7500fefe178ef_JaffaCakes118.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 1124 "C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 1096 "C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 1092 "C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 1092 "C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 1096 "C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 1092 "C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 1092 "C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 984 "C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

C:\Windows\system32\winIogon.exe 1096 "C:\Windows\SysWOW64\winIogon.exe"

C:\Windows\SysWOW64\winIogon.exe

"C:\Windows\SysWOW64\winIogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

memory/2136-2-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2136-4-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2136-5-0x0000000000400000-0x000000000048B000-memory.dmp

C:\Windows\SysWOW64\winIogon.exe

MD5 f99b3b75f86bb6e275b7500fefe178ef
SHA1 b31f72450b435373e6a1d2d77092d0cc33d7580a
SHA256 81891f4658e178e464c7f5eb6e0fe3941bbee6b5516ce07286e94d73ab42e99a
SHA512 3441cf5b34e52cef448a4b0b06cb1cac58de26ce4ed7bea8c93d5bd5f1090e150c86d400dcbda0dda51468592388e6ae4531e5d519ed3e779724d40caba6c58c

memory/2416-18-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2136-19-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2416-21-0x0000000000400000-0x000000000048B000-memory.dmp

memory/452-29-0x0000000000400000-0x000000000048B000-memory.dmp

memory/452-32-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2648-40-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2648-43-0x0000000000400000-0x000000000048B000-memory.dmp

memory/1780-51-0x0000000000400000-0x000000000048B000-memory.dmp

memory/1780-54-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2564-62-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2564-65-0x0000000000400000-0x000000000048B000-memory.dmp

memory/3376-73-0x0000000000400000-0x000000000048B000-memory.dmp

memory/3376-76-0x0000000000400000-0x000000000048B000-memory.dmp

memory/4404-84-0x0000000000400000-0x000000000048B000-memory.dmp

memory/4404-87-0x0000000000400000-0x000000000048B000-memory.dmp

memory/4432-95-0x0000000000400000-0x000000000048B000-memory.dmp

memory/4432-98-0x0000000000400000-0x000000000048B000-memory.dmp

memory/3152-106-0x0000000000400000-0x000000000048B000-memory.dmp

memory/3152-109-0x0000000000400000-0x000000000048B000-memory.dmp

memory/3252-117-0x0000000000400000-0x000000000048B000-memory.dmp