Analysis Overview
SHA256
8298be3054f9f33b629b53757659873ad12b81b3f7038e0cd39fa0131f1553a3
Threat Level: Known bad
The file 2c985167149b7ef64306f58a41a9890e_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Renames multiple (93) files with added filename extension
Renames multiple (1790) files with added filename extension
ASPack v2.12-2.42
Drops startup file
Enumerates connected drives
Drops autorun.inf file
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 01:07
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 01:07
Reported
2024-05-10 01:09
Platform
win7-20240508-en
Max time kernel
145s
Max time network
123s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
Renames multiple (93) files with added filename extension
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\notepad.exe.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe"
Network
Files
memory/2284-2-0x00000000001B0000-0x00000000001B1000-memory.dmp
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe
| MD5 | 29c7d28f29b428a6c3ac547ed45824d3 |
| SHA1 | 337ee746b4039e85222c78648508436da0ce63cf |
| SHA256 | c252dabeecc0db15d4b34e7809eee34f36bf105ac256703a0c765a1418818312 |
| SHA512 | 90cf2beb19e3416f6ade6a407fc2413a462b89f6b945be0021ec296fd0fceaa9585c6f842e97fafe1239c950c3f7119da7c8312182047bf4a3659eb827ec1d46 |
C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini.exe
| MD5 | 5ec41d44015569570ca46d5d919bd82a |
| SHA1 | 7084f215de9f93911c28c8249a4a22622fd45242 |
| SHA256 | 76621d0ea3a29c535952b1356aa6054b02e28dadf821adfa9b78617638c5bc89 |
| SHA512 | 19fbde28238928dda0e0441e1a7f6067e6ae06f605dc8b92ab8a0404580f89423c2081351ce69a05c9f86c65b8c0239b419b71be753b539269eac7c510a8d00a |
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
memory/2284-227-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2284-230-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 86e1d65783036b7d40ec634ea8781d08 |
| SHA1 | da31a19419aabe38876df5ef4501576770eed875 |
| SHA256 | 824b67692472d66998e75cdd55f31c5487ca560385d72a7ea6f06d3553c45490 |
| SHA512 | 88ecc28fc2d17c62987aba48bb2407a286166c6dd26b418d335d78c2d91cc052771b601a44527f07e7526ea907084e2ec76c27d5844d42eda9f2ede648352c93 |
memory/2284-233-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2284-237-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2284-240-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2284-243-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2284-246-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2284-249-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2284-252-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2284-255-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2284-257-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2284-261-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2284-264-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2284-267-0x0000000000400000-0x0000000000478000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 01:07
Reported
2024-05-10 01:10
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
Renames multiple (1790) files with added filename extension
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\notepad.exe.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Common Files\System\msadc\msadce.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\PresentationUI.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\jfxwebkit.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Xaml.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\UIAutomationProvider.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\PresentationUI.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\UIAutomationProvider.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\PresentationCore.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\JavaAccessBridge-64.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\gl.txt.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\ReachFramework.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationCore.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\include\classfile_constants.h.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libffi.md.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Common Files\System\ado\adojavas.inc.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\UIAutomationProvider.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\WindowsBase.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\da.txt.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\yo.txt.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.Timer.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Windows.Forms.Primitives.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.Tracing.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\UIAutomationProvider.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Private.Xml.Linq.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Resources.Extensions.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\UIAutomationProvider.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\PresentationFramework.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Common Files\System\ado\msado15.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\host\fxr\6.0.25\hostfxr.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.ComponentModel.Primitives.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-conio-l1-1-0.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\LICENSE.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Private.DataContractSerialization.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\UIAutomationClientSideProviders.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\WindowsFormsIntegration.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-file-l1-2-0.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Security.Cryptography.ProtectedData.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\UIAutomationClientSideProviders.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Collections.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\UIAutomationClient.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\lib\calendars.properties.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.Tools.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Drawing.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\System.Windows.Forms.Design.resources.dll.exe | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c985167149b7ef64306f58a41a9890e_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
Files
memory/2748-0-0x0000000002310000-0x0000000002311000-memory.dmp
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe
| MD5 | 6c686950f024d357c678d093216ae5fb |
| SHA1 | 99a430b24c8d43fb58b4e6927383d2e1cda5e94b |
| SHA256 | ddfc90c9d130e4fb2d317629b66ccb13581310f29bc9640549a82134bf51e855 |
| SHA512 | ebb0577173ace55b0dce06793acbc4e3e1dc173241c280afa41b40d2f32d6a7dbcf58ca6a34a897586daba1406c65350696fddfbd5766f4730f534a23e156b6a |
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.exe
| MD5 | 2ae74710232b52b32bc69b96c74b3fb9 |
| SHA1 | 656fbb03b91874d6a9d3262fbe43d1756616251c |
| SHA256 | 6d186f2586c8fbf9c89a1aba5b55e6913b2425c64f11cf657631a8be6ef1a4f1 |
| SHA512 | de4cc0fbe9104abc1b192d7b4d620a16f114cbd63250e2ecc99a0874f2a9ab3bb4b8cbd590feb6cb5266dca79a246ab001b477cb1d6632e992c662ff5bbfed97 |
memory/2748-317-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2748-499-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2748-579-0x0000000002310000-0x0000000002311000-memory.dmp
memory/2748-717-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2748-1192-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2748-1545-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2748-1958-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2748-2242-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2748-2607-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2748-2914-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2748-3211-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2748-3546-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2748-3865-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2748-4106-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2748-4209-0x0000000000400000-0x0000000000478000-memory.dmp