Malware Analysis Report

2024-07-11 07:39

Sample ID 240420-b1a5yadh8t
Target fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118
SHA256 792eba5ba91a52bfb3b369107f38fb9a7e7b7987cd870f465338eae59e81f3f6
Tags
plugx persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

792eba5ba91a52bfb3b369107f38fb9a7e7b7987cd870f465338eae59e81f3f6

Threat Level: Known bad

The file fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

plugx persistence trojan

PlugX

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-20 01:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-20 01:36

Reported

2024-04-20 01:38

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118.exe"

Signatures

PlugX

trojan plugx

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\arpa.exe N/A
N/A N/A C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\arpa.exe N/A
N/A N/A C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ESET Malware ProtectionLYo = "\"C:\\ProgramData\\ESET Malware ProtectionLYo\\unsecapp.exe\" -app" C:\Users\Admin\AppData\Local\Temp\arpa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ESET Malware ProtectionLYo = "\"C:\\ProgramData\\ESET Malware ProtectionLYo\\unsecapp.exe\" -app" C:\Users\Admin\AppData\Local\Temp\arpa.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" url.dll, FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\arpa.exe

C:\Users\Admin\AppData\Local\Temp\arpa.exe

"C:\Users\Admin\AppData\Local\Temp\arpa.exe"

C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe

"C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe" -app

Network

Country Destination Domain Proto
CN 45.248.87.140:443 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
CN 45.248.87.140:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
CN 45.248.87.140:443 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
CN 45.248.87.140:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
CN 45.248.87.140:443 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\http_dll.dll

MD5 5b92266d9a26260b4c9920ede267ba37
SHA1 372d5455fdb689787e7e49f7799510c6c2cdf6b7
SHA256 d3c41834ea1a05eb19b6012a9c0c4a2dd9df243af0df56885edabedfe3fea261
SHA512 db9b277d74d1c50b8580b8dbeef1f5c3f54a6cf436a95c658bf7b8201d48ed651400fdde84d7297abf7f71b1f8f2bf335716833e564fa25cf10483b5f8766ec5

memory/1368-23-0x0000000000800000-0x0000000000900000-memory.dmp

memory/1368-22-0x00000000022A0000-0x00000000022C0000-memory.dmp

C:\ProgramData\ESET Malware ProtectionLYo\http_dll.dat

MD5 27a4ed145a9a6cb41af09b8927fd5bee
SHA1 815be32e1ae7ec20621e87239a6279fbba2fc8b5
SHA256 3fbbf30015b64b50912c09c43052ac48b1983e869cebfb88dd1271fcb4e60d10
SHA512 2978496330e0dcfafad6b9186181febe4af28cb7bec227bfab3f0be711e5160b96692a9752e260bf585abc0a5d481bd4d408ead88e0e2973552e4abb934107a8

C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe

MD5 28c6f235946fd694d2634c7a2f24c1ba
SHA1 e9a9ce1ff07834d6ba9a51ba0d9e7c7a0b68d3e5
SHA256 c3159d4f85ceb84c4a0f7ea9208928e729a30ddda4fead7ec6257c7dd1984763
SHA512 16865c473e010950a2aa25263af70074ad7539a86dc20e0a253df39e54e3635e99e821d4df83cd7a0eaeff10c75782966439d16d056427e824be8df953e138be

memory/3456-14-0x0000000000FE0000-0x00000000010E0000-memory.dmp

memory/3456-10-0x0000000002A00000-0x0000000002A20000-memory.dmp

memory/1368-24-0x0000000000800000-0x0000000000900000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-20 01:36

Reported

2024-04-20 01:38

Platform

win7-20240215-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\arpa.exe"

Signatures

PlugX

trojan plugx

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ESET Malware ProtectionLYo = "\"C:\\ProgramData\\ESET Malware ProtectionLYo\\unsecapp.exe\" -app" C:\Users\Admin\AppData\Local\Temp\$TEMP\arpa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ESET Malware ProtectionLYo = "\"C:\\ProgramData\\ESET Malware ProtectionLYo\\unsecapp.exe\" -app" C:\Users\Admin\AppData\Local\Temp\$TEMP\arpa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\arpa.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\arpa.exe"

C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe

"C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe" -app

Network

Country Destination Domain Proto
CN 45.248.87.140:443 tcp
CN 45.248.87.140:443 tcp
CN 45.248.87.140:443 tcp
CN 45.248.87.140:443 tcp
CN 45.248.87.140:443 tcp
CN 45.248.87.140:443 tcp

Files

memory/2212-1-0x0000000000130000-0x0000000000150000-memory.dmp

memory/2212-11-0x0000000000390000-0x0000000000490000-memory.dmp

C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe

MD5 28c6f235946fd694d2634c7a2f24c1ba
SHA1 e9a9ce1ff07834d6ba9a51ba0d9e7c7a0b68d3e5
SHA256 c3159d4f85ceb84c4a0f7ea9208928e729a30ddda4fead7ec6257c7dd1984763
SHA512 16865c473e010950a2aa25263af70074ad7539a86dc20e0a253df39e54e3635e99e821d4df83cd7a0eaeff10c75782966439d16d056427e824be8df953e138be

C:\ProgramData\ESET Malware ProtectionLYo\http_dll.dll

MD5 5b92266d9a26260b4c9920ede267ba37
SHA1 372d5455fdb689787e7e49f7799510c6c2cdf6b7
SHA256 d3c41834ea1a05eb19b6012a9c0c4a2dd9df243af0df56885edabedfe3fea261
SHA512 db9b277d74d1c50b8580b8dbeef1f5c3f54a6cf436a95c658bf7b8201d48ed651400fdde84d7297abf7f71b1f8f2bf335716833e564fa25cf10483b5f8766ec5

C:\ProgramData\ESET Malware ProtectionLYo\http_dll.dat

MD5 27a4ed145a9a6cb41af09b8927fd5bee
SHA1 815be32e1ae7ec20621e87239a6279fbba2fc8b5
SHA256 3fbbf30015b64b50912c09c43052ac48b1983e869cebfb88dd1271fcb4e60d10
SHA512 2978496330e0dcfafad6b9186181febe4af28cb7bec227bfab3f0be711e5160b96692a9752e260bf585abc0a5d481bd4d408ead88e0e2973552e4abb934107a8

memory/320-17-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/320-18-0x0000000000660000-0x0000000000760000-memory.dmp

memory/320-19-0x0000000000660000-0x0000000000760000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-20 01:36

Reported

2024-04-20 01:39

Platform

win10v2004-20240226-en

Max time kernel

157s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\arpa.exe"

Signatures

PlugX

trojan plugx

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ESET Malware ProtectionLYo = "\"C:\\ProgramData\\ESET Malware ProtectionLYo\\unsecapp.exe\" -app" C:\Users\Admin\AppData\Local\Temp\$TEMP\arpa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ESET Malware ProtectionLYo = "\"C:\\ProgramData\\ESET Malware ProtectionLYo\\unsecapp.exe\" -app" C:\Users\Admin\AppData\Local\Temp\$TEMP\arpa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\arpa.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\arpa.exe"

C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe

"C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe" -app

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
CN 45.248.87.140:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.201.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CN 45.248.87.140:443 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
CN 45.248.87.140:443 tcp
CN 45.248.87.140:443 tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
CN 45.248.87.140:443 tcp

Files

memory/1028-1-0x0000000002F90000-0x0000000002FB0000-memory.dmp

memory/1028-2-0x00000000014F0000-0x00000000015F0000-memory.dmp

C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe

MD5 28c6f235946fd694d2634c7a2f24c1ba
SHA1 e9a9ce1ff07834d6ba9a51ba0d9e7c7a0b68d3e5
SHA256 c3159d4f85ceb84c4a0f7ea9208928e729a30ddda4fead7ec6257c7dd1984763
SHA512 16865c473e010950a2aa25263af70074ad7539a86dc20e0a253df39e54e3635e99e821d4df83cd7a0eaeff10c75782966439d16d056427e824be8df953e138be

C:\ProgramData\ESET Malware ProtectionLYo\http_dll.dll

MD5 5b92266d9a26260b4c9920ede267ba37
SHA1 372d5455fdb689787e7e49f7799510c6c2cdf6b7
SHA256 d3c41834ea1a05eb19b6012a9c0c4a2dd9df243af0df56885edabedfe3fea261
SHA512 db9b277d74d1c50b8580b8dbeef1f5c3f54a6cf436a95c658bf7b8201d48ed651400fdde84d7297abf7f71b1f8f2bf335716833e564fa25cf10483b5f8766ec5

memory/1364-13-0x0000000000BC0000-0x0000000000BE0000-memory.dmp

C:\ProgramData\ESET Malware ProtectionLYo\http_dll.dat

MD5 27a4ed145a9a6cb41af09b8927fd5bee
SHA1 815be32e1ae7ec20621e87239a6279fbba2fc8b5
SHA256 3fbbf30015b64b50912c09c43052ac48b1983e869cebfb88dd1271fcb4e60d10
SHA512 2978496330e0dcfafad6b9186181febe4af28cb7bec227bfab3f0be711e5160b96692a9752e260bf585abc0a5d481bd4d408ead88e0e2973552e4abb934107a8

memory/1364-14-0x0000000000C50000-0x0000000000D50000-memory.dmp

memory/1364-15-0x0000000000C50000-0x0000000000D50000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-20 01:36

Reported

2024-04-20 01:38

Platform

win7-20240221-en

Max time kernel

121s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\http_dll.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 2804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 2804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 2804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 2804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 2804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 2804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 2804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\http_dll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\http_dll.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-20 01:36

Reported

2024-04-20 01:38

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\http_dll.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1136 wrote to memory of 3408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1136 wrote to memory of 3408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1136 wrote to memory of 3408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\http_dll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\http_dll.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 52.111.229.19:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-20 01:36

Reported

2024-04-20 01:38

Platform

win7-20240221-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118.exe"

Signatures

PlugX

trojan plugx

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\arpa.exe N/A
N/A N/A C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ESET Malware ProtectionLYo = "\"C:\\ProgramData\\ESET Malware ProtectionLYo\\unsecapp.exe\" -app" C:\Users\Admin\AppData\Local\Temp\arpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ESET Malware ProtectionLYo = "\"C:\\ProgramData\\ESET Malware ProtectionLYo\\unsecapp.exe\" -app" C:\Users\Admin\AppData\Local\Temp\arpa.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 3032 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\arpa.exe
PID 3020 wrote to memory of 3032 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\arpa.exe
PID 3020 wrote to memory of 3032 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\arpa.exe
PID 3020 wrote to memory of 3032 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\arpa.exe
PID 3032 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\arpa.exe C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe
PID 3032 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\arpa.exe C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe
PID 3032 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\arpa.exe C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe
PID 3032 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\arpa.exe C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fba356748c02da7a65ddef9470aa1cf2_JaffaCakes118.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" url.dll, FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\arpa.exe

C:\Users\Admin\AppData\Local\Temp\arpa.exe

"C:\Users\Admin\AppData\Local\Temp\arpa.exe"

C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe

"C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe" -app

Network

Country Destination Domain Proto
CN 45.248.87.140:443 tcp
CN 45.248.87.140:443 tcp
CN 45.248.87.140:443 tcp
CN 45.248.87.140:443 tcp
CN 45.248.87.140:443 tcp
CN 45.248.87.140:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\arpa.exe

MD5 28c6f235946fd694d2634c7a2f24c1ba
SHA1 e9a9ce1ff07834d6ba9a51ba0d9e7c7a0b68d3e5
SHA256 c3159d4f85ceb84c4a0f7ea9208928e729a30ddda4fead7ec6257c7dd1984763
SHA512 16865c473e010950a2aa25263af70074ad7539a86dc20e0a253df39e54e3635e99e821d4df83cd7a0eaeff10c75782966439d16d056427e824be8df953e138be

C:\Users\Admin\AppData\Local\Temp\http_dll.dll

MD5 5b92266d9a26260b4c9920ede267ba37
SHA1 372d5455fdb689787e7e49f7799510c6c2cdf6b7
SHA256 d3c41834ea1a05eb19b6012a9c0c4a2dd9df243af0df56885edabedfe3fea261
SHA512 db9b277d74d1c50b8580b8dbeef1f5c3f54a6cf436a95c658bf7b8201d48ed651400fdde84d7297abf7f71b1f8f2bf335716833e564fa25cf10483b5f8766ec5

C:\Users\Admin\AppData\Local\Temp\http_dll.dat

MD5 27a4ed145a9a6cb41af09b8927fd5bee
SHA1 815be32e1ae7ec20621e87239a6279fbba2fc8b5
SHA256 3fbbf30015b64b50912c09c43052ac48b1983e869cebfb88dd1271fcb4e60d10
SHA512 2978496330e0dcfafad6b9186181febe4af28cb7bec227bfab3f0be711e5160b96692a9752e260bf585abc0a5d481bd4d408ead88e0e2973552e4abb934107a8

memory/3032-12-0x0000000000130000-0x0000000000150000-memory.dmp

memory/3032-16-0x00000000004B0000-0x00000000005B0000-memory.dmp

memory/2616-28-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2616-29-0x0000000000820000-0x0000000000920000-memory.dmp

memory/2616-30-0x0000000000820000-0x0000000000920000-memory.dmp