Analysis Overview
SHA256
96bf69304971f6a14c4c87dca9ea5cce395623e39052cc83408ce1580c5a7ead
Threat Level: Known bad
The file 1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Detected microsoft outlook phishing page
Executes dropped EXE
UPX packed file
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Modifies system certificate store
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-06 20:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-06 20:25
Reported
2024-05-06 20:28
Platform
win7-20231129-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1692 wrote to memory of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 1692 wrote to memory of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 1692 wrote to memory of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 1692 wrote to memory of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 169.254.23.201:1034 | tcp | |
| US | 16.102.42.25:1034 | tcp | |
| N/A | 192.168.1.34:1034 | tcp | |
| US | 24.169.237.173:1034 | tcp | |
| N/A | 192.168.1.2:1034 | tcp | |
| US | 8.8.8.8:53 | 126.com | udp |
| US | 8.8.8.8:53 | 126mx03.mxmail.netease.com | udp |
| US | 8.8.8.8:53 | alice.it | udp |
| US | 8.8.8.8:53 | mx.tim.it | udp |
| NL | 34.141.161.132:25 | mx.tim.it | tcp |
| US | 8.8.8.8:53 | mail.ru | udp |
| US | 8.8.8.8:53 | mxs.mail.ru | udp |
| HK | 103.129.252.44:25 | 126mx03.mxmail.netease.com | tcp |
| RU | 94.100.180.31:25 | mxs.mail.ru | tcp |
| US | 8.8.8.8:53 | search.lycos.com | udp |
| US | 8.8.8.8:53 | search.yahoo.com | udp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.190.80:80 | apps.identrust.com | tcp |
| US | 2.18.190.80:80 | apps.identrust.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.altavista.com | udp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| NL | 34.141.161.132:25 | mx.tim.it | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 8.8.8.8:53 | tin.it | udp |
| US | 8.8.8.8:53 | mx.tin.it | udp |
| NL | 34.90.152.141:25 | mx.tin.it | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | tim.it | udp |
| NL | 34.141.161.132:25 | mx.tim.it | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| RU | 94.100.180.31:25 | mxs.mail.ru | tcp |
| IN | 4.240.75.122:1034 | tcp | |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 52.101.9.5:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | alice.it | udp |
| IT | 217.169.121.227:25 | alice.it | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | mail.ru | udp |
| US | 8.8.8.8:53 | 126mx00.mxmail.netease.com | udp |
| RU | 94.100.180.200:25 | mail.ru | tcp |
| HK | 103.129.252.44:25 | 126mx00.mxmail.netease.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IT | 217.169.121.227:25 | alice.it | tcp |
| US | 8.8.8.8:53 | tin.it | udp |
| IT | 156.54.69.9:25 | tin.it | tcp |
| US | 8.8.8.8:53 | tim.it | udp |
| IT | 15.160.73.215:25 | tim.it | tcp |
| RU | 94.100.180.200:25 | mail.ru | tcp |
| N/A | 192.168.3.102:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 75.2.70.75:25 | alumni.caltech.edu | tcp |
| US | 8.8.8.8:53 | mx.alice.it | udp |
| IT | 156.54.69.9:25 | mx.alice.it | tcp |
| US | 8.8.8.8:53 | mx.mail.ru | udp |
| US | 8.8.8.8:53 | 126mx02.mxmail.netease.com | udp |
| HK | 103.129.252.44:25 | 126mx02.mxmail.netease.com | tcp |
| RU | 94.100.180.87:25 | mx.mail.ru | tcp |
| IT | 156.54.69.9:25 | mx.alice.it | tcp |
| NL | 34.90.152.141:25 | mx.tin.it | tcp |
| NL | 34.141.161.132:25 | mx.tim.it | tcp |
| RU | 94.100.180.87:25 | mx.mail.ru | tcp |
| US | 16.37.50.108:1034 | tcp |
Files
memory/1692-0-0x0000000000500000-0x000000000050D000-memory.dmp
memory/1692-4-0x0000000000220000-0x0000000000228000-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/1692-9-0x0000000000220000-0x0000000000228000-memory.dmp
memory/2380-11-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2380-17-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2380-21-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1692-22-0x0000000000220000-0x0000000000228000-memory.dmp
memory/2380-26-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2380-27-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2380-31-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2380-35-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2380-36-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2380-40-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2380-44-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | f5822587bc9079f7b8704d633c670247 |
| SHA1 | c5961d4e89c06da59bba771e9f5003dc205468f8 |
| SHA256 | 07672a5f4c6817be6082f4da9556f3f6032f41978d0340d3f6b41e8b8eb90874 |
| SHA512 | 537867f6707a1ac6a9f913d0442e30f73318193b4d914d525d482bfee815f08977a34f7ccb816d422a23ab400a72446f22b0ce54d2923bda2bb7e6e69f7cad1d |
C:\Users\Admin\AppData\Local\Temp\tmp8C4A.tmp
| MD5 | f078e2362f6080821d5e56bb11199c4f |
| SHA1 | d9f8f01319572d408cb52c3026992a97936524f8 |
| SHA256 | c90a6c106b7330054ecf957c6172d55c824f2abfddcd3477b9148cd15aa803b7 |
| SHA512 | 703d76ff459deeac983e88a886d21a17a0d62cbc1b7f96ab9d29bc95ebc8cee8169107a5701c0aef5369facb79c236a4d7728a0dddfd8abd3684bea257eb2228 |
memory/2380-67-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar93C1.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 08d98dbbf4d21bbeb6e1314fb3cf87f4 |
| SHA1 | 448bc26169136bdcd184fd98b58a4ae2a52a041f |
| SHA256 | 89f9569b6b4d504d2fd2da05d8a39cd44b87433df0769ed406b38b45a9be2f23 |
| SHA512 | 239d7038fe0a9c76a7545ff0f079337b6c1f6f1c7aa2a7c71e031f77cbb3262026344e8c6550ef81472e6ef433c8b9e30051c58d7d91a61051750c0c26d0a5b3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | ace76733b12691a73ad036fea36002ee |
| SHA1 | 99775dbf6df96cf86f1f55a62bf784d464d0c21f |
| SHA256 | 808ec9fa0e40f9d70fda85bc9e1fa3f805b7bd663848a32afcc25e35ede832ad |
| SHA512 | 2fc1bc2a0626f8d932e8317c6937e3f96940f29290b539d7dbf0767713fa10437595c92de592d0e4aa088c31b3d1eeb5c52ecd338d3ebc40459db356a7aff373 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6e2dd0846d60854eb0c38846f6da4bb0 |
| SHA1 | 39c41681a535d7baeda2853f1bc3859b0afe8dd3 |
| SHA256 | cfb11156df272fa134c23e5b98645600b968f35a0cf57fe512e3a22d581b082c |
| SHA512 | 25c138ff648ae4a2914b3be66a5f106efe68fffb6a6ec5e6efce9403b80349bbca5b13212879b580fec5ff9e3d376532fd57fabd2c5bd812ec06491e9b05db98 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 077654ac2ae3d7fa297eaca7472c7c93 |
| SHA1 | a1503d6cdc4de3a2d25a459ecd9c48fca65e9c2c |
| SHA256 | ca943d30cb2f2f48d42a344023f6f836121f7a2877f4c2ded35a7337909ca6cc |
| SHA512 | 50ff6b7bc2c465f6fa19af780b43576bfc580e8842ea9d9213279032aea10f90c29f40fa611e794ef10bc5363058f1afc551bbee9f25fffcdb47bde301110e54 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a687a57fd6a12dbacf358196392a7f0e |
| SHA1 | 4c4c46efee98a137f0e3eeb20b5cff0b2efae111 |
| SHA256 | 99348fb68a71d385fa213767da67029c5bc2098fa521082a47a42aa9b302ec4e |
| SHA512 | 6e7f492bf2cc40685f462e8dc875e32815e75d3b0003e48ae14d33ade9b8eddc1f0c12b6c09c0b4ed3c0c78593ed70c17ad4c0468bed91f7a45d31dc6453aeb5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NZF3XDR7\search[1].htm
| MD5 | 8ba61a16b71609a08bfa35bc213fce49 |
| SHA1 | 8374dddcc6b2ede14b0ea00a5870a11b57ced33f |
| SHA256 | 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1 |
| SHA512 | 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 11d64dd2d950682ce2957b65bc496f3f |
| SHA1 | 85e3e7aa431a95e80b4c60020793e1dbefe88697 |
| SHA256 | 1bf6a7a3c50340c8f3ff81718f692fd72c6d81413b7f07c2b1930465c7b91771 |
| SHA512 | 8f622da1e353af53222503403f113431e0abe4eccbe4f77b2701fe630edfb571b3d92a08fe72c477d6bb173d6c46779602c71d0397a90fcf160ce71483fc7a88 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | f874971a2eafc6e719658cb8bf29236e |
| SHA1 | c46bef91fd830cd174d24f8ed44da1cc4287d331 |
| SHA256 | 75ec5e22ac50dfc10a64b75483908561d7b0b0f0e108fab7df6cd69bd362fd32 |
| SHA512 | 60cdbb639633a9d5299763c31af73b0b1268f036af560804f1e0687666a7a886dbd6750461ca3f1efb4e52da4b10f14e68b5b5f643ab21e88ecc55b5ee4fc7b6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 87597dc611fe540e6c6c04b1626fa8e2 |
| SHA1 | 9aefd6dc0ee8958ffc9b9fc18e3b999232e4ed55 |
| SHA256 | a7c5de6f8ba1c22693f41febdbc145026abccdf6b1fcc6e57f29ea28c6052000 |
| SHA512 | 91de0a3ab35fe3921f9d1ac55b55a228987ea4a45baa368a7624e8c32adf1a290cb922b4a767252239eed33cdda6d70b0ada23265d33c5815c3f5deff466289e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f345cc923cebe3d24307927deebb5ce3 |
| SHA1 | 7fad113bdedcf350190342a6953ba7eca004e26c |
| SHA256 | f08b5dd425af8a54aed3f79cd47a988c58c96486e000a83891c6259e9f0cc0c8 |
| SHA512 | f52d07ced67b8c66f52915fe9d187b04344cea31bf609e2bb314125aa278881f65438dc37398c013108645e70f546327c04db590e4dd403d2b26728fece1e46f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8KAOXZS9\search[3].htm
| MD5 | ac395cd3533be23378573a35117d4104 |
| SHA1 | b1a430b81eb51d71155404132352e56b3c7af3b4 |
| SHA256 | bbecfd899784a638723a2a6bc2e61aaedca68effbd7f6ff9e07ef0d52d66d72b |
| SHA512 | e2007f2aa1073250226f50da58e7c8ba6151c1bb2c96537973d7ec7e7da44f67dd330935483267a97fcf70c3f098fbc7b79adae562fabf5964ed1f315f8879a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dd7b72c215f0fd1fc7d23a88464423b5 |
| SHA1 | 62372de2db3e7b6c71d229192528a01e923e944e |
| SHA256 | 9d2b869abc81e061792787254ea70c91d856a363b0ccb033decab4d909d6c3d5 |
| SHA512 | f5ca4120eeb022a484e81cc1774bafe0e8ab9a170043f9f39490bc9850d846e307d72edb611eba43372acdab964753068f4abfc86874bd5d74376f843cba97ee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d272c1c37f9279f8b0fff6a6e3156c88 |
| SHA1 | 38ac03871e9644317539e2491dc244d5fc6ad132 |
| SHA256 | e01682b06a4846c2064cd4939980fc798d1344123826e5163aa57dd4ff0b6a17 |
| SHA512 | e152daafe1cdccec9d7ee41c725e16133bcf90abd0688c9aa40d6f1032993dec1e74e3d747c4cd93eeae6f72ad3f6841fad281354c77b05e26d3924cf774336f |
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | ebcbb56babe3e0a747791ca3f47f8904 |
| SHA1 | b756d5c642c1221d31fa6e210d45572b9674e7e5 |
| SHA256 | 68f20305cf26b8167969874f023812ece38f77617deafd238d8f26d0164fb986 |
| SHA512 | 94e19bea18e22ad38b7098bc215a568fc42f60bc8cb7bf5f3669bd90547bd11fbde0bf5304864d9ebd95687125e25c43d2f2a75e9a9b55ce46d24984dce21aa8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cc91117dc3d282352ee209d277dc23a5 |
| SHA1 | 6ac0336c976c41eeb792aa2d828be37f816c6fa5 |
| SHA256 | 6ecf30e3fa036d127f69e32a3f8a372ba8afb66e98a43fbf34c392cc7a7c394b |
| SHA512 | b3ee894d6b58304da697f51cef6359919150e603f8a1497c449507fa95977690257521134b3272ab0270bf05d4a20ad059920c6090437e2cc0d0b236c0400970 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a789076ac83fd55704bdde0c6d5f4d8e |
| SHA1 | 62f378d361edfe70d511875461f40ce590239b6b |
| SHA256 | 7e6126c68c3ecc4ac14d52bcad1d4a02fafa7860319eaef123ecc420e30de16d |
| SHA512 | 1e2f166196ff3865bb9d94ee2b6da9843450ec2fc5740faec9872b708f849542fb3de84ecb060b47e0cf901e5ed2406efeabc6c2a11a945a18687d7cf0312725 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 81e78d2b955d8cf26e188ccca1311079 |
| SHA1 | 59aedc2a8b8471e60ea6dbae17fda2ed483a18eb |
| SHA256 | 3127ec3c3c8a6231ec9b18b6a74cc8c1e638c60e726aa0a255258631c91e50b7 |
| SHA512 | 4200f800e7b06538786eeb4a7d42895fd0c1f4d8bf900ad7dc9235d78a3715908f3923e5e6b1487a5d4dbc7987bf94321bbb6d0afcdc5532818c641d134e09f9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eee0c0557b58e92e2c1af9f82d6ed27f |
| SHA1 | de66568b4175bf8adb6a6f6a0e434d9fa7b11c45 |
| SHA256 | 896d4e608d002371c3b069986acd773649dd4e898932bb2c07ec18e3db9134a9 |
| SHA512 | 4370cafd666b2b420007331f21a9f8044986b566f6b36a4225e8e9362513ef9e8eb210d6bb92b3052d2c7ff9b0f0e01ba5a445b3b383bea74ae87e0d91f27449 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6c6dd0245bdfde60473c9c093c263d96 |
| SHA1 | 8728634fa13693cbb1f94140df4155b7415eb6ea |
| SHA256 | 9a70de4e36f6215ae85f8909e19ca1bc6810531c89484f9063e192fef0975103 |
| SHA512 | 0fae6049c202d366df95add35729910f305b5d716c5f32c794b50dfc6776b3d1f34d5357546af0a89dd259d7ae42b0b809a4ae1b2b6df3eac4ff26140743ae74 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CUC8J0B4\search[3].htm
| MD5 | 963805419fe4cd128dfbcbca9b5f9a05 |
| SHA1 | 56b05d784f94eb774f4554f0d45b3c2a067e27bd |
| SHA256 | d0437a3884f5f6b771c48d35acd37c0cceef974b1ca96e83c1f5db9efa79e902 |
| SHA512 | 4774c763446179ef219b8f900be33eb5864d7089bb993dc44052cdde722d224cf6be4de6b6a59488a28393f39657009e44b6ca0d504da98b12f65b97fee139d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FCHRESJ4\GW937740.htm
| MD5 | f16562ea41b907da03ec50dbb07893e4 |
| SHA1 | 11e30635df482744ceb2d8e53e5dda5ebd586cd3 |
| SHA256 | ada90ef958a543da1699a497ed09d48aa57a41934ab167e05eb9ebb687c22297 |
| SHA512 | 67a927325505965e511f3b5bc9001eff41cba7ffd533802c515eca0790fcc7d33a59f1a236cdab490d6b8bbf2c2aa6c94a0aeee8e2710c0b03b34344333de79e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 424d55b33804dc590fc39bbd6090b540 |
| SHA1 | e0f36a22a0bb763c7d17029590e1b7e59c2f96ee |
| SHA256 | 869497dc1cc844179b84829860dd66b2cdabf8dfb1fb9a496055446516a7edd3 |
| SHA512 | ae7ed508353e8d38b5afbe60e8dd49d17c3db0c1fe98996fe47b7ca5b29a8dd1dac0f62a21033e665fefbcfd9af5deb7c0325fbefa09ec79832a0f14900e8802 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 98c12239a8572e24cf3a441f17ff1163 |
| SHA1 | dac06ad634915f02115503dabd8c444d11f52b8a |
| SHA256 | 18032a87f275d1515d537e8afddc57f52aad10ad95abfa74072e132f171e0a6d |
| SHA512 | 38f2cc15444b7e82652ba22c6a4251cbe73bd192a15d0a7ad40c0b63d042fc71bc456d7850cf8721209a25fb9c29717a5777a7557c88094a33ccaeaa346cca1f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FCHRESJ4\results[3].htm
| MD5 | 211da0345fa466aa8dbde830c83c19f8 |
| SHA1 | 779ece4d54a099274b2814a9780000ba49af1b81 |
| SHA256 | aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5 |
| SHA512 | 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca |
memory/2380-1394-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CUC8J0B4\search[9].htm
| MD5 | 519835c4dd7498ba7fd0198b65f409fa |
| SHA1 | a26c664c74aed4b105a0489480f158b421b6b20d |
| SHA256 | 496e7dbdb96903afe0a96952e19b4265f951ff00a9ad641e06ef13efad906aaf |
| SHA512 | 56932dbc6598af5eccaf2187c6743ef4028f876a730c2d8fba2c7e0ad5d55b9ffc6b0af6f12db57d39791a9ee849aa6883f0db6dd73cea2e529a1a29b9e6eb5b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8KAOXZS9\search[7].htm
| MD5 | c1ae03960d38dc30e5cd0c7be4412f9f |
| SHA1 | 901de482706e242be61b340dfd0ba65013891fcd |
| SHA256 | 815ea78b9a38bc32ee11bb59c3c3c80779e26ea97191dbbc4580bac5e372e3a8 |
| SHA512 | afa39fbefdbbb89ad2b08a02b10abc0f93815e702ea14f74344410dd5895974144c785ad49cd1b566135f6bfbffe9d0cef7bef5a40897ab384621443923fb474 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FCHRESJ4\search[2].htm
| MD5 | f02a179afdf695e0dc66372e95ae4e83 |
| SHA1 | cfc4eaebc564ad28fa7b6a55a78ff8bf1efd6736 |
| SHA256 | 5d98d3a2707872391773c484143af7a5005e4deb92227dc84bfc75a0f2e74971 |
| SHA512 | 91b63c51937ef443eceb53f572de2e50ecc609b72d18bd40289d9076371265841e8ef3db40efcc1a9eb2de1d1a217e5895bb0c82a2c87090a13b014269e82326 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 737431d8c0fac9af77085c3f2b4feac5 |
| SHA1 | 868875358f14ceb5827fea1ca81647f2ad5baaf4 |
| SHA256 | ba7fb0c3931d30ef50d7fc4fbd274ef69cc979e51debcd1671fbfe2853af97c0 |
| SHA512 | 74307db9fcc300413de1c0a0477ede0c028ee4c4eb67b6ba0b4cd929959fa7699d1db4e023e005674e7accde5d7daedbec21700c2c4790afae2bbfda6c60ca42 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NZF3XDR7\default[1].htm
| MD5 | 2c4ce699b73ce3278646321d836aca40 |
| SHA1 | 72ead77fbd91cfadae8914cbb4c023a618bf0bd1 |
| SHA256 | e7391b33aeb3be8afbe1b180430c606c5d3368baf7f458254cef5db9eef966e3 |
| SHA512 | 89ec604cd4a4ad37c5392da0bb28bd9072d731a3efdd38707eeb7b1caf7626e6917da687529bf9426d8eb89fab23175399032d545d96ab93ffd19dd54c02c075 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 66a71f14cdb83521520255f98feff37b |
| SHA1 | f0ff03e8d8ed7af7ce5e8f3768804a19d7898841 |
| SHA256 | 84576559fcc47e445a5f5c0e3db258c58cc9c1c12b3c3343b426c076a218125d |
| SHA512 | 353a993a7149bf86a7113ed4314d64f16b8a78f32626d1ccb15b948d82e1e75d6359b9f293b2465c5a3343ae9d60f93ca10bef0f49a41289bd27535163234b5a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 03173faf5bf6d8a0b63a150aa87bdba4 |
| SHA1 | 47d1b038704ed6f61cfff6b3aa86534675789f53 |
| SHA256 | be5869e881be0d21b794d4880444341892376fc0379d40cdd1c21ba4b211a6b1 |
| SHA512 | d95b3020d3342bd1959b7c6a6682c836ada7244b0f12d256e5ba2405de306dec89bc9e4624c606e673619b919a17cb81508ad4d69a27fb3ce301ec415a579ef3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eee018ecdbe9238ab0e5df6e88c0340d |
| SHA1 | 8d488e7d99e5d31430e1a1a31541a6ea44d9bc64 |
| SHA256 | 0b9a99a59da707898d856dc4f5fe11fe783d771cfab4f94e213534dc03c76ee1 |
| SHA512 | 6a4476c28d38f168e943625e42a4cdcfacaeeeef057235e43e2ba54a95afdbdeaa2abc1444c67288a0f7f4e838fd0e0147fcc14ea86bcf0df8f146b06f2eea07 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a1999a99d554aaf76b21fe9d24697bfa |
| SHA1 | 41a5c805af7db77f04307b5419fc5d9f5e5025f4 |
| SHA256 | a5205e8c1e3f1d81193c408fca48f3cf6797ec0dffd7d0168d6bf77dcf7a268d |
| SHA512 | 68a4a56450c1561ca4c5b365add3631663f099ff687c1282c8bf06be4ebf3edcde25d86bfb941975e3ce3d8f07a984925696b9acb32c6fd7441bd7ff9a0e5e26 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a035800fdacc38a69deaf5c113fb4911 |
| SHA1 | b994ca2580654842b6d26e29ce893067cc1a5f27 |
| SHA256 | de7ca25c7f0673722b48ba29a454ed3419a19447785bcdb2077c614a8f9792aa |
| SHA512 | 4a1233ecc093f0053ce44d5c941debb7470d67c49e905900d887c4afcc5aff72a363d41c029fff3a6f9448ef22a2846829563f80b3c5c3c16e899e563434fd91 |
memory/2380-2258-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2380-2391-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2380-2395-0x0000000000400000-0x0000000000408000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-06 20:25
Reported
2024-05-06 20:28
Platform
win10v2004-20240419-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Detected microsoft outlook phishing page
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | N/A |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3100 wrote to memory of 1448 | N/A | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 3100 wrote to memory of 1448 | N/A | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 3100 wrote to memory of 1448 | N/A | C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e39857116f2df763f5dbc78c8a62ae5_JaffaCakes118.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 169.254.23.201:1034 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.244.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 16.102.42.25:1034 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| N/A | 192.168.1.34:1034 | tcp | |
| US | 24.169.237.173:1034 | tcp | |
| US | 8.8.8.8:53 | 16.244.122.92.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.251.17.2.in-addr.arpa | udp |
| N/A | 192.168.1.2:1034 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| IN | 4.240.75.122:1034 | tcp | |
| US | 8.8.8.8:53 | m-ou.se | udp |
| US | 8.8.8.8:53 | aspmx.l.google.com | udp |
| IE | 74.125.193.27:25 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 8.8.8.8:53 | mail.mailroute.net | udp |
| US | 199.89.3.120:25 | mail.mailroute.net | tcp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 8.8.8.8:53 | mx.burtleburtle.net | udp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 65.254.254.50:25 | mx.burtleburtle.net | tcp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 52.101.9.5:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | search.yahoo.com | udp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | www.altavista.com | udp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 10.254.202.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.100.82.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hachyderm.io | udp |
| IE | 74.125.193.27:25 | aspmx.l.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| N/A | 192.168.3.102:1034 | tcp | |
| US | 8.8.8.8:53 | alt1.aspmx.l.google.com | udp |
| NL | 142.250.27.26:25 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 104.17.78.30:25 | acm.org | tcp |
| US | 8.8.8.8:53 | smtp2.cs.stanford.edu | udp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 65.254.227.224:25 | burtleburtle.net | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 75.2.70.75:25 | alumni.caltech.edu | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 8.8.8.8:53 | alt3.aspmx.l.google.com | udp |
| NL | 142.251.9.27:25 | alt3.aspmx.l.google.com | tcp |
| US | 16.37.50.108:1034 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 142.250.153.27:25 | tcp |
Files
memory/3100-0-0x0000000000500000-0x000000000050D000-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/1448-7-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1448-13-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1448-17-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1448-21-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1448-22-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1448-26-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1448-30-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1448-31-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1448-35-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1448-39-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1448-40-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | b6e5d20e4e1383c512814542ae9fdf43 |
| SHA1 | de512359a92da060d99a4f19d1f0ea0ed3294726 |
| SHA256 | 5b58a3256be5c1f0a5a8c8f08537349b2b5109ebc3144b56e5c0c8adda5c4ee6 |
| SHA512 | b18cb6cbae6b2d6356425e0559961c2f03743a74e598cc3a6868ad1130f37daeb8be46a1107b4c302fa7a1181ff94cb96ec94bafd480b7dae4b0f22002eb7e95 |
C:\Users\Admin\AppData\Local\Temp\tmpDB59.tmp
| MD5 | eb6b8889fbbef7898425bb2fe4f4848a |
| SHA1 | 94b51bf4245b787b601ffd970c226ebcf25fc758 |
| SHA256 | 98c6d966bfe7919f12687e0f4c8467fbc86c835c41e9eb027044ddf571eceb18 |
| SHA512 | 3f8b58cdaecb0c0d1e799cd8e28e99d08f0e19331e8bc57eb11b0d7c2d793495cda999558a93baf9500dadaaf389bb5cd3607893a24ce68dadccd6743b68727b |
memory/1448-129-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\22GDAN8B\search[2].htm
| MD5 | 798e40780b4758f7c0a07bd83f249c60 |
| SHA1 | 09f31e47ed43fcba375a6ffbc200bef471e33363 |
| SHA256 | f45d05e465b077dc1e1613c47b36b6fc1e1e1e9a1fd5783d1552f46cd7836c5d |
| SHA512 | 3a440be60f16e6b9f5a875f747f2d5d6c883e6c263d0c87771f25d3919d7dfdb73495a7745848b1698ef999282b907668beba66d694bd80befb5b8765b123b1d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LA4X8NGR\search[5].htm
| MD5 | 8ba61a16b71609a08bfa35bc213fce49 |
| SHA1 | 8374dddcc6b2ede14b0ea00a5870a11b57ced33f |
| SHA256 | 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1 |
| SHA512 | 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SZ2TD4H5\1FY6P4US.htm
| MD5 | 0237f11b1b8a33e051fbb4804117d10d |
| SHA1 | 2100891d3704b2c16412af6ffc550085cadb1c37 |
| SHA256 | 77621c5b74b067636c0247374b412229d42ff350eec858e94fa203da010c30eb |
| SHA512 | de14e8b6572a18a0c845b1a4eff74041dbfa4ae55a451fc68a49f35b8540ff2005fca8b5c32f833cbc08d32f8129e04cd0914fffcee1f960396aed11ca16c8fa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\22GDAN8B\search[6].htm
| MD5 | d042239abb73f637d924f33952fbd19c |
| SHA1 | 260c215d6e76cd3991e2399f022ddd60a5966cb4 |
| SHA256 | c93ecc0798bd8a7e2435dcd6ca23ad6e76f462b6ec90938fbf52d87dc94d9578 |
| SHA512 | 7a8b1a4ae5fcfda6a6931ba31ad465f2f280a43d447ff8fd251c1a20c700091ce05893c34cee23e904007da9bb3d63dcb77a58996d8e977f5f12cca0cd63cee7 |
memory/1448-229-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1448-230-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1448-234-0x0000000000400000-0x0000000000408000-memory.dmp