Analysis Overview
SHA256
a1f4fe13660f74f8d80a135430ea8aea95162e79db1a34cc8af6111d44cad9b8
Threat Level: Known bad
The file 2495b66bc96857b3eb723c268f69eb96_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
GandCrab payload
Gandcrab
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Enumerates connected drives
Program crash
Unsigned PE
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-08 11:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-08 11:12
Reported
2024-05-08 11:14
Platform
win7-20240221-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
GandCrab payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gandcrab
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JVSGE.tmp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-UI833.tmp\firefox.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JVSGE.tmp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JVSGE.tmp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.tmp | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nmoljutegbj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\zmvhff.exe\"" | C:\Users\Admin\AppData\Local\Temp\is-UI833.tmp\firefox.exe | N/A |
Enumerates connected drives
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\is-UI833.tmp\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\is-UI833.tmp\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\is-UI833.tmp\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JVSGE.tmp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JVSGE.tmp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-UI833.tmp\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-UI833.tmp\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JVSGE.tmp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\is-JVSGE.tmp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JVSGE.tmp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.tmp" /SL5="$7011E,1892639,119808,C:\Users\Admin\AppData\Local\Temp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\is-UI833.tmp\firefox.exe
"C:\Users\Admin\AppData\Local\Temp\is-UI833.tmp\firefox.exe"
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipv4bot.whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | ns1.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | ns2.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ns2.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | ns1.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ns1.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | ns2.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ns2.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | ns1.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ns1.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | ns2.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ns2.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | ns1.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ns1.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | ns2.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ns2.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | ns1.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ns1.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | ns2.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ns2.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | ns1.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ns1.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | carder.bit | udp |
| US | 8.8.8.8:53 | ns2.wowservers.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ransomware.bit | udp |
| US | 8.8.8.8:53 | ns2.wowservers.ru | udp |
Files
memory/2860-2-0x0000000000401000-0x000000000040C000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-JVSGE.tmp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.tmp
| MD5 | 77b128016c2afcab8b68c63176b1f138 |
| SHA1 | 55eb34db1a896ab0fc28834e85564442a059a292 |
| SHA256 | 5dd8f4ae39faace0fdf6154928486391f8c9c1b0889aa52381bdd23a7526d7f4 |
| SHA512 | 62b026ac296d3d74858680cf02e3a8d26c3632ebea02bbe6f74c9b6d7b064ea2f914e25995a43c7f69736aa686cb76c16548468d861fd15074c78c923fcd4e79 |
memory/2100-8-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2860-0-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-UI833.tmp\firefox.exe
| MD5 | d8a8729b3be7e17fe15aee8be05e081d |
| SHA1 | bbfa257bdf6a7fcb1fe704b990f139434b97e775 |
| SHA256 | ef1f6c15b47d7b3efa84882d682c7377729805d172324901b3f559208f200641 |
| SHA512 | 2b1095fbfd5628076e04593262293793b5b43cd4cc70f76d81d46f56e8e4aac5e37103a200e01722c8c925119945bc97ea6e863575b3edef26023a4b26549f65 |
memory/1472-115-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1472-116-0x0000000000330000-0x0000000000347000-memory.dmp
memory/2860-127-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2100-125-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/1472-128-0x0000000000400000-0x000000000043C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-08 11:12
Reported
2024-05-08 11:14
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
104s
Command Line
Signatures
GandCrab payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gandcrab
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-L5H80.tmp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service | C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-L5H80.tmp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-L5H80.tmp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-L5H80.tmp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\is-L5H80.tmp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L5H80.tmp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.tmp" /SL5="$C005E,1892639,119808,C:\Users\Admin\AppData\Local\Temp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe
"C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2176 -ip 2176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 480
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
memory/2912-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2912-2-0x0000000000401000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-L5H80.tmp\2495b66bc96857b3eb723c268f69eb96_JaffaCakes118.tmp
| MD5 | 77b128016c2afcab8b68c63176b1f138 |
| SHA1 | 55eb34db1a896ab0fc28834e85564442a059a292 |
| SHA256 | 5dd8f4ae39faace0fdf6154928486391f8c9c1b0889aa52381bdd23a7526d7f4 |
| SHA512 | 62b026ac296d3d74858680cf02e3a8d26c3632ebea02bbe6f74c9b6d7b064ea2f914e25995a43c7f69736aa686cb76c16548468d861fd15074c78c923fcd4e79 |
memory/4396-7-0x0000000000400000-0x00000000004CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-V8PII.tmp\firefox.exe
| MD5 | d8a8729b3be7e17fe15aee8be05e081d |
| SHA1 | bbfa257bdf6a7fcb1fe704b990f139434b97e775 |
| SHA256 | ef1f6c15b47d7b3efa84882d682c7377729805d172324901b3f559208f200641 |
| SHA512 | 2b1095fbfd5628076e04593262293793b5b43cd4cc70f76d81d46f56e8e4aac5e37103a200e01722c8c925119945bc97ea6e863575b3edef26023a4b26549f65 |
memory/2176-109-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2176-110-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2176-111-0x00000000005E0000-0x00000000005F7000-memory.dmp
memory/4396-116-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2912-118-0x0000000000400000-0x0000000000424000-memory.dmp