Malware Analysis Report

2024-09-11 10:00

Sample ID 240511-pergpafe2y
Target 3488b0c364c116f0649c40009a745ba8_JaffaCakes118
SHA256 8e1aa0b81c431b07d9101bf00ebf8f80575faa99769dfd880ed6ab2c24f87ea3
Tags
limerat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e1aa0b81c431b07d9101bf00ebf8f80575faa99769dfd880ed6ab2c24f87ea3

Threat Level: Known bad

The file 3488b0c364c116f0649c40009a745ba8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

limerat rat

LimeRAT

Executes dropped EXE

Checks computer location settings

Drops startup file

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

NTFS ADS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-11 12:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 12:14

Reported

2024-05-11 12:17

Platform

win7-20240419-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe"

Signatures

LimeRAT

rat limerat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dfsdgh.exe.lnk C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1740 set thread context of 2752 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\sdfg\dfsdgh.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1740 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1740 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1740 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1740 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1740 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1740 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1740 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1740 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2968 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2968 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2968 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe" "%appdata%\sdfg\dfsdgh.exe" /Y

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\sdfg\dfsdgh.exe:Zone.Identifier

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ren "%appdata%\sdfg\dfsdgh.exe.jpg" dfsdgh.exe

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Roaming\sdfg\dfsdgh.exe.bat

C:\Windows\SysWOW64\timeout.exe

timeout /t 300

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp

Files

memory/1740-0-0x000000007450E000-0x000000007450F000-memory.dmp

memory/1740-1-0x00000000012C0000-0x0000000001534000-memory.dmp

memory/1740-2-0x0000000006F90000-0x00000000070C0000-memory.dmp

memory/1740-4-0x0000000074500000-0x0000000074BEE000-memory.dmp

memory/1740-3-0x00000000004B0000-0x00000000004BC000-memory.dmp

C:\Users\Admin\AppData\Roaming\sdfg\dfsdgh.exe

MD5 3488b0c364c116f0649c40009a745ba8
SHA1 c3e4b049dc44aa1eee0d592f0da97f68317cb222
SHA256 8e1aa0b81c431b07d9101bf00ebf8f80575faa99769dfd880ed6ab2c24f87ea3
SHA512 82f645d849f19629fb252e89ceada9d480e97c7b4494e54fae9d3da61b5255e58b588ee547b19824ffdabeb664542f26e941c5d960affaeb04d76d5dec2417df

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 9af17c8393f0970ee5136bd3ffa27001
SHA1 4b285b72c1a11285a25f31f2597e090da6bbc049
SHA256 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512 b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

memory/2752-17-0x0000000000080000-0x000000000008C000-memory.dmp

memory/2752-21-0x0000000000080000-0x000000000008C000-memory.dmp

memory/2752-29-0x0000000000080000-0x000000000008C000-memory.dmp

memory/2752-26-0x0000000000080000-0x000000000008C000-memory.dmp

memory/2752-23-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2752-31-0x0000000000080000-0x000000000008C000-memory.dmp

memory/2752-19-0x0000000000080000-0x000000000008C000-memory.dmp

C:\Users\Admin\AppData\Roaming\sdfg\dfsdgh.exe.bat

MD5 249f71028fa2742d4a26ecf30e6b4eb8
SHA1 b2a07bd19cab5fd7be8ed0de7ac2934ce7cc3752
SHA256 ba381c05e6cd8083abe50136bec85ed088e140610fdac6f449e775e736bf163f
SHA512 6ffe6ded3fe52811b15cbab8667c1a970b0391864dceec7051ee87f536619d81005ee7aa082051511f48274288ae5fbefc324603593350122bf507fb3a309ad4

memory/1740-41-0x0000000074500000-0x0000000074BEE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 12:14

Reported

2024-05-11 12:17

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe"

Signatures

LimeRAT

rat limerat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dfsdgh.exe.lnk C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4856 set thread context of 2076 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\sdfg\dfsdgh.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4856 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4856 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4856 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4856 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4856 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4856 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4856 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4856 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2264 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2264 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/3488b0c364c116f0649c40009a745ba8_JaffaCakes118.exe" "%appdata%\sdfg\dfsdgh.exe" /Y

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\sdfg\dfsdgh.exe:Zone.Identifier

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ren "%appdata%\sdfg\dfsdgh.exe.jpg" dfsdgh.exe

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\sdfg\dfsdgh.exe.bat

C:\Windows\SysWOW64\timeout.exe

timeout /t 300

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
DE 193.161.193.99:44611 tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
US 52.111.229.48:443 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp
DE 193.161.193.99:44611 tcp

Files

memory/4856-0-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

memory/4856-1-0x0000000000E50000-0x00000000010C4000-memory.dmp

memory/4856-2-0x0000000007E70000-0x0000000007FA0000-memory.dmp

memory/4856-3-0x00000000086E0000-0x0000000008C84000-memory.dmp

memory/4856-4-0x0000000008130000-0x00000000081C2000-memory.dmp

memory/4856-5-0x00000000081D0000-0x000000000826C000-memory.dmp

memory/4856-7-0x0000000074E10000-0x00000000755C0000-memory.dmp

memory/4856-6-0x0000000005510000-0x000000000551C000-memory.dmp

C:\Users\Admin\AppData\Roaming\sdfg\dfsdgh.exe

MD5 3488b0c364c116f0649c40009a745ba8
SHA1 c3e4b049dc44aa1eee0d592f0da97f68317cb222
SHA256 8e1aa0b81c431b07d9101bf00ebf8f80575faa99769dfd880ed6ab2c24f87ea3
SHA512 82f645d849f19629fb252e89ceada9d480e97c7b4494e54fae9d3da61b5255e58b588ee547b19824ffdabeb664542f26e941c5d960affaeb04d76d5dec2417df

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 8fdf47e0ff70c40ed3a17014aeea4232
SHA1 e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256 ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512 bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

memory/2076-16-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2076-19-0x0000000074E10000-0x00000000755C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\sdfg\dfsdgh.exe.bat

MD5 249f71028fa2742d4a26ecf30e6b4eb8
SHA1 b2a07bd19cab5fd7be8ed0de7ac2934ce7cc3752
SHA256 ba381c05e6cd8083abe50136bec85ed088e140610fdac6f449e775e736bf163f
SHA512 6ffe6ded3fe52811b15cbab8667c1a970b0391864dceec7051ee87f536619d81005ee7aa082051511f48274288ae5fbefc324603593350122bf507fb3a309ad4

memory/2076-23-0x0000000004EE0000-0x0000000004F46000-memory.dmp

memory/2076-24-0x0000000074E10000-0x00000000755C0000-memory.dmp

memory/4856-26-0x0000000074E10000-0x00000000755C0000-memory.dmp

memory/2076-27-0x0000000074E10000-0x00000000755C0000-memory.dmp

memory/2076-28-0x0000000074E10000-0x00000000755C0000-memory.dmp