Malware Analysis Report

2024-10-19 07:12

Sample ID 240506-wpm1ksga98
Target 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118
SHA256 3a903150a230d5a6f08058cddedf503aa25076b489690a092b3ee46298cfd531
Tags
nanocore evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a903150a230d5a6f08058cddedf503aa25076b489690a092b3ee46298cfd531

Threat Level: Known bad

The file 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger spyware stealer trojan

NanoCore

Drops startup file

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-06 18:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-06 18:05

Reported

2024-05-06 18:08

Platform

win7-20240221-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\..url C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 112 set thread context of 2420 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 112 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 112 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 112 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 112 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2668 wrote to memory of 2488 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2668 wrote to memory of 2488 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2668 wrote to memory of 2488 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2668 wrote to memory of 2488 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 112 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 112 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 112 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 112 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 112 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 112 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 112 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 112 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 112 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 112 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1i033x1w\1i033x1w.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2665.tmp" "c:\Users\Admin\AppData\Local\Temp\1i033x1w\CSC677D710CA27C4C24A8AC3AA7EF177BF0.TMP"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /query

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /sc MINUTE /tn Intel /MO 1 /tr "C:\Users\Admin\AppData\Roaming\null\

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {DDD22CF5-D4E7-43A0-8ABB-9225C7372A25} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

Network

Country Destination Domain Proto
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp

Files

memory/112-0-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

memory/112-1-0x0000000000CA0000-0x0000000000CF4000-memory.dmp

memory/112-2-0x0000000074CD0000-0x00000000753BE000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\1i033x1w\1i033x1w.cmdline

MD5 b62b62d8c2cfabf7f7b97cbd0dbeb6ce
SHA1 84179fb86a0c94ebb345f62df97fe71fce25624f
SHA256 0e70c70e6de83eeaa875d7cb726095edc2671c050df658ec07f97acaa0ffacd5
SHA512 1a012aa5a894ef4b002ce79c77ebd2b0853fdc10f2eaec8025bbbed7dd4c0aa41fdb8fba2375f8e39f690884cfd09f746fe956c01a4beac24583eac0bc6fd498

\??\c:\Users\Admin\AppData\Local\Temp\1i033x1w\1i033x1w.0.cs

MD5 21cd1b3e77c3f770205babc7a862c6ef
SHA1 ee71e8ef404a95d7f77e2421d5892f349d0fc2be
SHA256 905250aa3670ddec5a3a4d3c2427190f973fe3c669b030884b5ef7da6339b075
SHA512 806ce8d2162864331b29ebb1fe0bf814965db9077c537d5a0b9c13294c1edcba6e11c5f929824a3aef8680097e0322c09481f4aaa450cceee788591f6d2441b4

\??\c:\Users\Admin\AppData\Local\Temp\1i033x1w\CSC677D710CA27C4C24A8AC3AA7EF177BF0.TMP

MD5 b8a3b8f4f42256c7b24bcbfbbbd8465b
SHA1 64ecf56bfb45e8f6aa323155a10e8a3a72e9a087
SHA256 34e1bbb560360bf5925db35dd6eaa742428738c9e72ed320237c4e8da8e86237
SHA512 882c657de6b3cd04f9e45ae260820a6f9965d450203101953d4bb439f3a306e312bccec52bc7760c3d00a3022a828fbd05dcd8789e9169d0247cad5a990e596a

C:\Users\Admin\AppData\Local\Temp\RES2665.tmp

MD5 f94dffec592d234baba7811193fc96ec
SHA1 f034ffe0603e7dee7478121f7e57efdb360eea81
SHA256 3362c95afa86e1ed2e81ad9fb1b07d50a9e36fa83e52565f59885f4c4223687e
SHA512 2b716aee6bd593925e6484093f43af0f837b48b0b54ce8cc7d04f51fa77d631639d409c46e4b3f023093783e5226e44ed324467979c05b605cff2bf14a06b74e

C:\Users\Admin\AppData\Local\Temp\1i033x1w\1i033x1w.dll

MD5 1eb72ef87f3b3192a85d7baaf0bba5de
SHA1 224ac941518bce99fd86c1915ceea0811580b8e2
SHA256 e850b72396bd1d0a3e044179a0cf90036660cf1bdfa1b1aab189ba70cf0305c3
SHA512 77c188baa0378318702ff03abd47c66561845ecc67f3902a0df68f5233a108e73d01aecc0cc4a9ad005e89773bddd1cc844780c99851370e1b9ebd1dbf00abc7

C:\Users\Admin\AppData\Local\Temp\1i033x1w\1i033x1w.pdb

MD5 17d7c39ee60c41a171399224f5fe875f
SHA1 236b90ec2dc254222d89e8637790cb14c619da20
SHA256 82fbe1e585d1f1ada97935c76852caf4a641b995d02a69e1bbc471a6100f8fcb
SHA512 1578427a0a50d29b4bfbf1feeb9165e3c6aa5a792b43ba3d77851e2fdc69170b86aea88adc412c4e441740b57453571369365f0990d8e93ab50d916fd261d4a1

memory/112-17-0x00000000003E0000-0x00000000003E8000-memory.dmp

memory/112-19-0x0000000000C60000-0x0000000000CA4000-memory.dmp

memory/112-20-0x0000000000470000-0x000000000047C000-memory.dmp

memory/112-23-0x0000000004140000-0x0000000004178000-memory.dmp

memory/2420-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2420-26-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2420-33-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2420-35-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2420-34-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2420-30-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2420-29-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2420-24-0x0000000000400000-0x0000000000438000-memory.dmp

memory/112-36-0x0000000074CD0000-0x00000000753BE000-memory.dmp

memory/2420-38-0x0000000000580000-0x000000000058A000-memory.dmp

memory/2420-39-0x0000000000590000-0x00000000005AE000-memory.dmp

memory/2420-40-0x00000000005F0000-0x00000000005FA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-06 18:05

Reported

2024-05-06 18:08

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\..url C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 628 set thread context of 4492 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 628 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 628 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 628 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3608 wrote to memory of 1436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3608 wrote to memory of 1436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3608 wrote to memory of 1436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 628 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 628 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 628 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 628 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 628 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 628 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 628 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 628 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 628 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 628 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 628 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 628 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 628 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 628 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\54ixrtip\54ixrtip.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES290F.tmp" "c:\Users\Admin\AppData\Local\Temp\54ixrtip\CSCC25CA9D1F3F441AC9AD181B36290FD66.TMP"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /query

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /sc MINUTE /tn Intel /MO 1 /tr "C:\Users\Admin\AppData\Roaming\null\

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 48.28.101.95.in-addr.arpa udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.8.8:53 smithhk.ddns.net udp
US 8.8.4.4:53 smithhk.ddns.net udp

Files

memory/628-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

memory/628-1-0x0000000000BD0000-0x0000000000C24000-memory.dmp

memory/628-2-0x0000000074E40000-0x00000000755F0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\54ixrtip\54ixrtip.cmdline

MD5 240bcd6db79f7db6ac9891b70eb30026
SHA1 8403e423f081d191ca18046861c4ed7061293ade
SHA256 e8846aee42600e74dd7c5b9c2bcaf043ab23f6c87cca26def3d0313d8a746b57
SHA512 8fd8558863998457a95bcc9c1c8e37f387140767d01c60002b8beb3dcfe788090477581a1dc122191e1771355dd85877be8b3ad59525bfd94b80ce8383ab9372

\??\c:\Users\Admin\AppData\Local\Temp\54ixrtip\54ixrtip.0.cs

MD5 21cd1b3e77c3f770205babc7a862c6ef
SHA1 ee71e8ef404a95d7f77e2421d5892f349d0fc2be
SHA256 905250aa3670ddec5a3a4d3c2427190f973fe3c669b030884b5ef7da6339b075
SHA512 806ce8d2162864331b29ebb1fe0bf814965db9077c537d5a0b9c13294c1edcba6e11c5f929824a3aef8680097e0322c09481f4aaa450cceee788591f6d2441b4

\??\c:\Users\Admin\AppData\Local\Temp\54ixrtip\CSCC25CA9D1F3F441AC9AD181B36290FD66.TMP

MD5 2492da72482474621a04af0a01f39e44
SHA1 184df1e2d2b5560f4e5ac97d02ac6bf75511b063
SHA256 ac69b4814ed40e12df850eb5365cf57bde36bee697e83d79d15b5e8e875eba8c
SHA512 f060584e7ee2b7c804d7eda4a617cda17a9dcac9d802f750a975575da25eefdcc2379dd36f741859f8d3901906eace3d7b95731f6739d60cfc022f756667a192

C:\Users\Admin\AppData\Local\Temp\RES290F.tmp

MD5 c5288916b2564c30e65653d4b70a5d38
SHA1 92c3997c9979f9f85970c35d741565f7591d330c
SHA256 9e03dc6749b8b3214b8426bb153d32db38a070f811d716ec9f24c7cf8acda2df
SHA512 e4c0ccf3d99b9d141bbca3ca3e7de117f0f0017cbb0da601c5c528103c87f771532a51ff4ba92495a85aa9f858adfa33c1b73c29ca95a527dd3338f2d40fe377

C:\Users\Admin\AppData\Local\Temp\54ixrtip\54ixrtip.dll

MD5 85229e27e4b3fab088930f108dee0a97
SHA1 b8bd04715614076ae9881e403864e95a04c6a350
SHA256 0fa75a10cb206bec76b7fbf6c5bb058d643086768c8808ed2ee2501809662d95
SHA512 3fb23233f03d58e8f57a4e4e88dc902b3e6819daec29fd3129cf5166c3e09f12f05ae9ef0c9526e73d7deb8b8e25dc9459e6d296e0fce2d38b4d27f3036e8ba9

C:\Users\Admin\AppData\Local\Temp\54ixrtip\54ixrtip.pdb

MD5 acb3320a18588650826bc64aa4d529fa
SHA1 d56b49ebd99b2b020ce3845e668998bcc35353d5
SHA256 0435f405dd9d300539610b90b46234cc9458e079ecdf16b159ed6b3a1aca5e36
SHA512 2873d206c605f0a5339bd83da02b9b07dcf3526eae388f1eb6b890584f95c2e9550763da17da11e7f6aeca602c4697ea0a2fff972c9c19ff901714bd7b0be86a

memory/628-17-0x0000000002FC0000-0x0000000002FC8000-memory.dmp

memory/628-19-0x0000000005B10000-0x0000000005BA2000-memory.dmp

memory/628-20-0x0000000006020000-0x0000000006064000-memory.dmp

memory/628-21-0x0000000002F60000-0x0000000002F6C000-memory.dmp

memory/628-24-0x0000000005540000-0x0000000005578000-memory.dmp

memory/628-25-0x0000000006060000-0x00000000060FC000-memory.dmp

memory/4492-26-0x0000000000400000-0x0000000000438000-memory.dmp

memory/628-28-0x0000000074E40000-0x00000000755F0000-memory.dmp

memory/4492-29-0x00000000056D0000-0x0000000005C74000-memory.dmp

memory/4492-30-0x0000000005120000-0x000000000512A000-memory.dmp

memory/4492-32-0x00000000051A0000-0x00000000051AA000-memory.dmp

memory/4492-33-0x0000000005310000-0x000000000532E000-memory.dmp

memory/4492-34-0x00000000056B0000-0x00000000056BA000-memory.dmp