Malware Analysis Report

2025-03-15 05:44

Sample ID 240510-bgtsyahg3w
Target 2c985167149b7ef64306f58a41a9890e_JaffaCakes118
SHA256 8298be3054f9f33b629b53757659873ad12b81b3f7038e0cd39fa0131f1553a3
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8298be3054f9f33b629b53757659873ad12b81b3f7038e0cd39fa0131f1553a3

Threat Level: Known bad

The file 2c985167149b7ef64306f58a41a9890e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (93) files with added filename extension

Renames multiple (1790) files with added filename extension

ASPack v2.12-2.42

Drops startup file

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 01:07

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 01:07

Reported

2024-05-10 01:09

Platform

win7-20240508-en

Max time kernel

145s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A

Renames multiple (93) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe"

Network

N/A

Files

memory/2284-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 29c7d28f29b428a6c3ac547ed45824d3
SHA1 337ee746b4039e85222c78648508436da0ce63cf
SHA256 c252dabeecc0db15d4b34e7809eee34f36bf105ac256703a0c765a1418818312
SHA512 90cf2beb19e3416f6ade6a407fc2413a462b89f6b945be0021ec296fd0fceaa9585c6f842e97fafe1239c950c3f7119da7c8312182047bf4a3659eb827ec1d46

C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini.exe

MD5 5ec41d44015569570ca46d5d919bd82a
SHA1 7084f215de9f93911c28c8249a4a22622fd45242
SHA256 76621d0ea3a29c535952b1356aa6054b02e28dadf821adfa9b78617638c5bc89
SHA512 19fbde28238928dda0e0441e1a7f6067e6ae06f605dc8b92ab8a0404580f89423c2081351ce69a05c9f86c65b8c0239b419b71be753b539269eac7c510a8d00a

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

memory/2284-227-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2284-230-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 86e1d65783036b7d40ec634ea8781d08
SHA1 da31a19419aabe38876df5ef4501576770eed875
SHA256 824b67692472d66998e75cdd55f31c5487ca560385d72a7ea6f06d3553c45490
SHA512 88ecc28fc2d17c62987aba48bb2407a286166c6dd26b418d335d78c2d91cc052771b601a44527f07e7526ea907084e2ec76c27d5844d42eda9f2ede648352c93

memory/2284-233-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2284-237-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2284-240-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2284-243-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2284-246-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2284-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2284-252-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2284-255-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2284-257-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2284-261-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2284-264-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2284-267-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 01:07

Reported

2024-05-10 01:10

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A

Renames multiple (1790) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadce.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\PresentationUI.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jfxwebkit.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Xaml.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\UIAutomationProvider.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\PresentationUI.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\UIAutomationProvider.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\PresentationCore.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\JavaAccessBridge-64.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\gl.txt.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\ReachFramework.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationCore.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\classfile_constants.h.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libffi.md.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\System\ado\adojavas.inc.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\UIAutomationProvider.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\WindowsBase.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txt.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.Timer.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Windows.Forms.Primitives.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.Tracing.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\UIAutomationProvider.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Private.Xml.Linq.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Resources.Extensions.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\UIAutomationProvider.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\PresentationFramework.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\System\ado\msado15.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\host\fxr\6.0.25\hostfxr.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.ComponentModel.Primitives.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-conio-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\LICENSE.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Private.DataContractSerialization.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\UIAutomationClientSideProviders.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\WindowsFormsIntegration.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-file-l1-2-0.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Security.Cryptography.ProtectedData.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\UIAutomationClientSideProviders.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Collections.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\UIAutomationClient.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\calendars.properties.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.Tools.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Drawing.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\System.Windows.Forms.Design.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

memory/2748-0-0x0000000002310000-0x0000000002311000-memory.dmp

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 6c686950f024d357c678d093216ae5fb
SHA1 99a430b24c8d43fb58b4e6927383d2e1cda5e94b
SHA256 ddfc90c9d130e4fb2d317629b66ccb13581310f29bc9640549a82134bf51e855
SHA512 ebb0577173ace55b0dce06793acbc4e3e1dc173241c280afa41b40d2f32d6a7dbcf58ca6a34a897586daba1406c65350696fddfbd5766f4730f534a23e156b6a

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.exe

MD5 2ae74710232b52b32bc69b96c74b3fb9
SHA1 656fbb03b91874d6a9d3262fbe43d1756616251c
SHA256 6d186f2586c8fbf9c89a1aba5b55e6913b2425c64f11cf657631a8be6ef1a4f1
SHA512 de4cc0fbe9104abc1b192d7b4d620a16f114cbd63250e2ecc99a0874f2a9ab3bb4b8cbd590feb6cb5266dca79a246ab001b477cb1d6632e992c662ff5bbfed97

memory/2748-317-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2748-499-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2748-579-0x0000000002310000-0x0000000002311000-memory.dmp

memory/2748-717-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2748-1192-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2748-1545-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2748-1958-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2748-2242-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2748-2607-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2748-2914-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2748-3211-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2748-3546-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2748-3865-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2748-4106-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2748-4209-0x0000000000400000-0x0000000000478000-memory.dmp