Malware Analysis Report

2024-10-19 07:12

Sample ID 240506-be3m3abg81
Target 1a0825f4897c1dcf8e535685621556fe_JaffaCakes118
SHA256 3c966798000d94713c63bbf32a52284ccd82811ae6dcb370cd075855010f9e34
Tags
nanocore evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c966798000d94713c63bbf32a52284ccd82811ae6dcb370cd075855010f9e34

Threat Level: Known bad

The file 1a0825f4897c1dcf8e535685621556fe_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger spyware stealer trojan

NanoCore

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-06 01:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-06 01:04

Reported

2024-05-06 01:06

Platform

win7-20240220-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 2184 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 1724 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1724 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1724 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1724 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe

"1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe

"1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe

"1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe

"1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe

"1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1B00.tmp"

Network

Country Destination Domain Proto
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp

Files

memory/2184-0-0x000000007413E000-0x000000007413F000-memory.dmp

memory/2184-1-0x00000000009D0000-0x0000000000ABE000-memory.dmp

memory/2184-2-0x00000000005E0000-0x00000000005E8000-memory.dmp

memory/2184-3-0x00000000006C0000-0x0000000000722000-memory.dmp

memory/2184-4-0x00000000008C0000-0x00000000008E8000-memory.dmp

memory/2184-6-0x0000000074130000-0x000000007481E000-memory.dmp

memory/2184-7-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-8-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-26-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-10-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-12-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-14-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-16-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-18-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-58-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-60-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-20-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-22-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-24-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-42-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-70-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-73-0x0000000074130000-0x000000007481E000-memory.dmp

memory/2184-68-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-66-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-64-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-62-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-56-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-55-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-52-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-50-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-48-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-46-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-44-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-40-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-38-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-36-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-34-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-32-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-30-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-28-0x00000000008C0000-0x00000000008E1000-memory.dmp

memory/2184-74-0x0000000000920000-0x0000000000958000-memory.dmp

memory/2456-87-0x0000000074130000-0x000000007481E000-memory.dmp

memory/1724-100-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1724-101-0x0000000074130000-0x000000007481E000-memory.dmp

memory/1724-102-0x0000000074130000-0x000000007481E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1B00.tmp

MD5 779b93dce4b119f3c6a6a9678d33cbdb
SHA1 7b70a8f6490885acc9b4f725d5a36d869951400b
SHA256 aebf4f6c2f58eceb924d4a3988824d58e7e44c8e6d31f7a1da761438fa59f129
SHA512 346f777e8535c10ad2eeacb06023f026f194930af91c7a958a659e6fe63bcb34bbc788d322b0559aead0aecf8576dcc5f61f3ec7434ecd2dc51e751e7f13dd91

memory/1724-107-0x0000000000480000-0x000000000048A000-memory.dmp

memory/1724-108-0x00000000005F0000-0x000000000060E000-memory.dmp

memory/1724-109-0x0000000000490000-0x000000000049A000-memory.dmp

memory/2184-110-0x000000007413E000-0x000000007413F000-memory.dmp

memory/2184-111-0x0000000074130000-0x000000007481E000-memory.dmp

memory/2184-112-0x0000000074130000-0x000000007481E000-memory.dmp

memory/2456-113-0x0000000074130000-0x000000007481E000-memory.dmp

memory/1724-114-0x0000000074130000-0x000000007481E000-memory.dmp

memory/1724-115-0x0000000074130000-0x000000007481E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-06 01:04

Reported

2024-05-06 01:06

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3540 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 3540 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 3540 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 3540 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 3540 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 3540 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 3540 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 3540 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 3540 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 3540 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 3540 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 3540 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 3540 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 3540 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 3540 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 3540 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 3540 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 3540 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 3540 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
PID 1144 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1144 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1144 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe

"1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe

"1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe

"1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4585.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
EE 91.193.75.199:5449 tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
EE 91.193.75.199:5449 tcp
US 8.8.8.8:53 88.121.18.2.in-addr.arpa udp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
EE 91.193.75.199:5449 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
EE 91.193.75.199:5449 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp
EE 91.193.75.199:5449 tcp

Files

memory/3540-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

memory/3540-1-0x0000000000AC0000-0x0000000000BAE000-memory.dmp

memory/3540-2-0x00000000059D0000-0x0000000005EFC000-memory.dmp

memory/3540-3-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/3540-4-0x00000000054E0000-0x00000000054E8000-memory.dmp

memory/3540-5-0x00000000056E0000-0x0000000005742000-memory.dmp

memory/3540-6-0x0000000005740000-0x0000000005768000-memory.dmp

memory/3540-15-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-69-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-74-0x0000000005930000-0x00000000059CC000-memory.dmp

memory/3540-75-0x00000000058A0000-0x00000000058D8000-memory.dmp

memory/3540-29-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-71-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-67-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-65-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-63-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-61-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-59-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-57-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-55-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-53-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-51-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-49-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-47-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-45-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-43-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-41-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-39-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-37-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-35-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-33-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-25-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-21-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-17-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-31-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-27-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-24-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-19-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-13-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-11-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-9-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-8-0x0000000005740000-0x0000000005761000-memory.dmp

memory/3540-77-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1144-79-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1144-80-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1144-81-0x0000000005A90000-0x0000000006034000-memory.dmp

memory/1144-82-0x00000000055C0000-0x0000000005652000-memory.dmp

memory/1144-83-0x0000000005590000-0x000000000559A000-memory.dmp

memory/1144-84-0x0000000074A10000-0x00000000751C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4585.tmp

MD5 779b93dce4b119f3c6a6a9678d33cbdb
SHA1 7b70a8f6490885acc9b4f725d5a36d869951400b
SHA256 aebf4f6c2f58eceb924d4a3988824d58e7e44c8e6d31f7a1da761438fa59f129
SHA512 346f777e8535c10ad2eeacb06023f026f194930af91c7a958a659e6fe63bcb34bbc788d322b0559aead0aecf8576dcc5f61f3ec7434ecd2dc51e751e7f13dd91

memory/1144-89-0x0000000005790000-0x000000000579A000-memory.dmp

memory/1144-90-0x00000000057A0000-0x00000000057BE000-memory.dmp

memory/1144-91-0x0000000005A80000-0x0000000005A8A000-memory.dmp

memory/3540-92-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

memory/3540-93-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/3540-94-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1144-95-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1144-96-0x0000000074A10000-0x00000000751C0000-memory.dmp