Malware Analysis Report

2024-07-11 07:34

Sample ID 240516-yvqd1aeb38
Target 4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118
SHA256 4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159

Threat Level: Known bad

The file 4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

plugx trojan

Detects PlugX payload

PlugX

Loads dropped DLL

Deletes itself

Executes dropped EXE

Unsigned PE

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-16 20:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 20:06

Reported

2024-05-16 20:09

Platform

win7-20240419-en

Max time kernel

149s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hc.exe N/A
N/A N/A C:\ProgramData\hkcmd\hc.exe N/A
N/A N/A C:\ProgramData\hkcmd\hc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-99-13-52-c7-4d\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-99-13-52-c7-4d\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E87A428-798C-4E5F-B890-657F5DAF008D} C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E87A428-798C-4E5F-B890-657F5DAF008D}\WpadDecisionTime = 60caa3c2cca7da01 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-99-13-52-c7-4d C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E87A428-798C-4E5F-B890-657F5DAF008D}\fe-99-13-52-c7-4d C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-99-13-52-c7-4d\WpadDecisionTime = 60caa3c2cca7da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-99-13-52-c7-4d\WpadDetectedUrl C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E87A428-798C-4E5F-B890-657F5DAF008D}\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E87A428-798C-4E5F-B890-657F5DAF008D}\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E87A428-798C-4E5F-B890-657F5DAF008D}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 45004600430032003400420030003200380036003300360044003200380036000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hc.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hc.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hc.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\hkcmd\hc.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\hkcmd\hc.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\hkcmd\hc.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\hkcmd\hc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hc.exe
PID 1936 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hc.exe
PID 1936 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hc.exe
PID 1936 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hc.exe
PID 2620 wrote to memory of 2764 N/A C:\ProgramData\hkcmd\hc.exe C:\Windows\SysWOW64\svchost.exe
PID 2620 wrote to memory of 2764 N/A C:\ProgramData\hkcmd\hc.exe C:\Windows\SysWOW64\svchost.exe
PID 2620 wrote to memory of 2764 N/A C:\ProgramData\hkcmd\hc.exe C:\Windows\SysWOW64\svchost.exe
PID 2620 wrote to memory of 2764 N/A C:\ProgramData\hkcmd\hc.exe C:\Windows\SysWOW64\svchost.exe
PID 2620 wrote to memory of 2764 N/A C:\ProgramData\hkcmd\hc.exe C:\Windows\SysWOW64\svchost.exe
PID 2620 wrote to memory of 2764 N/A C:\ProgramData\hkcmd\hc.exe C:\Windows\SysWOW64\svchost.exe
PID 2620 wrote to memory of 2764 N/A C:\ProgramData\hkcmd\hc.exe C:\Windows\SysWOW64\svchost.exe
PID 2620 wrote to memory of 2764 N/A C:\ProgramData\hkcmd\hc.exe C:\Windows\SysWOW64\svchost.exe
PID 2620 wrote to memory of 2764 N/A C:\ProgramData\hkcmd\hc.exe C:\Windows\SysWOW64\svchost.exe
PID 2764 wrote to memory of 2972 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2764 wrote to memory of 2972 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2764 wrote to memory of 2972 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2764 wrote to memory of 2972 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2764 wrote to memory of 2972 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2764 wrote to memory of 2972 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2764 wrote to memory of 2972 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2764 wrote to memory of 2972 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2764 wrote to memory of 2972 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2764 wrote to memory of 2972 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2764 wrote to memory of 2972 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2764 wrote to memory of 2972 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\hc.exe

C:\Users\Admin\AppData\Local\Temp\hc.exe

C:\ProgramData\hkcmd\hc.exe

"C:\ProgramData\hkcmd\hc.exe" 100 1624

C:\ProgramData\hkcmd\hc.exe

"C:\ProgramData\hkcmd\hc.exe" 200 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2764

Network

Country Destination Domain Proto
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 msn.catalogipdate.com udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp

Files

\Users\Admin\AppData\Local\Temp\hccutils.dll

MD5 1dd363b3564929d0bc336571dec74cf0
SHA1 21c953538bba7749bcc3ce049b2df9df396bc2b7
SHA256 88ab31fb0d56ffe438f21fcce81a1df35554236ef2152c34b91bf5247ab35b7e
SHA512 0ba2583a5ea404cd4f6d5fb9b62ce590eb6244435d3a14586423e9ee7c116047fbb68d588f3e1ecee76d9dd7285805676f5f023baabe4bbdec34a5e754d9a70a

C:\Users\Admin\AppData\Local\Temp\hc.exe

MD5 23f2c3dbdb65c898a11e7f4ddc598a10
SHA1 cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c
SHA256 a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677
SHA512 0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

memory/1936-0-0x0000000000080000-0x00000000000BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hccutils.DLL.res

MD5 81693011cb717a15ad364a7344f8ffcf
SHA1 0e26b1b58c3a8f978874fd86762af11208999fb3
SHA256 01d5786b31dbb6855f089ae4569c40d5b99b4aed9462053358572898d797b6aa
SHA512 10ff4a7af7c8bd30b696ca1d2c9d3f7d29ed9a79f45264a0442d64cbc81a6e0945842c24d44e97a96a8db3686d9e00f9d0f73799e90620a74ed6ba7b58dded53

memory/1624-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1624-11-0x0000000000410000-0x0000000000411000-memory.dmp

memory/1624-13-0x0000000000560000-0x000000000058D000-memory.dmp

memory/2608-31-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2608-32-0x00000000005F0000-0x000000000061D000-memory.dmp

memory/2620-35-0x0000000001C80000-0x0000000001CAD000-memory.dmp

memory/2764-39-0x00000000000C0000-0x00000000000C2000-memory.dmp

memory/2764-38-0x00000000000A0000-0x00000000000BB000-memory.dmp

memory/2764-36-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2620-42-0x0000000001C80000-0x0000000001CAD000-memory.dmp

memory/2764-45-0x0000000000200000-0x000000000022D000-memory.dmp

memory/2764-59-0x0000000000200000-0x000000000022D000-memory.dmp

memory/2764-58-0x0000000000200000-0x000000000022D000-memory.dmp

memory/2764-57-0x0000000000200000-0x000000000022D000-memory.dmp

memory/2764-56-0x0000000000200000-0x000000000022D000-memory.dmp

memory/2764-60-0x0000000000200000-0x000000000022D000-memory.dmp

memory/2764-55-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2764-44-0x0000000000200000-0x000000000022D000-memory.dmp

memory/1624-43-0x0000000000560000-0x000000000058D000-memory.dmp

memory/2764-61-0x0000000000200000-0x000000000022D000-memory.dmp

memory/2764-40-0x0000000000200000-0x000000000022D000-memory.dmp

memory/2764-41-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2764-62-0x0000000000200000-0x000000000022D000-memory.dmp

memory/2764-65-0x0000000000200000-0x000000000022D000-memory.dmp

memory/2608-66-0x00000000005F0000-0x000000000061D000-memory.dmp

memory/2972-75-0x0000000000360000-0x000000000038D000-memory.dmp

memory/2972-78-0x0000000000360000-0x000000000038D000-memory.dmp

memory/2972-77-0x0000000000360000-0x000000000038D000-memory.dmp

memory/2972-76-0x0000000000070000-0x0000000000071000-memory.dmp

memory/2764-79-0x0000000000200000-0x000000000022D000-memory.dmp

memory/2764-85-0x0000000000200000-0x000000000022D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 20:06

Reported

2024-05-16 20:09

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hc.exe N/A
N/A N/A C:\ProgramData\hkcmd\hc.exe N/A
N/A N/A C:\ProgramData\hkcmd\hc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hc.exe N/A
N/A N/A C:\ProgramData\hkcmd\hc.exe N/A
N/A N/A C:\ProgramData\hkcmd\hc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 34003200320038004600340042004300360039003200360032004500460034000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hc.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hc.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hc.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\hkcmd\hc.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\hkcmd\hc.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\hkcmd\hc.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\hkcmd\hc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 852 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hc.exe
PID 852 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hc.exe
PID 852 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hc.exe
PID 1340 wrote to memory of 228 N/A C:\ProgramData\hkcmd\hc.exe C:\Windows\SysWOW64\svchost.exe
PID 1340 wrote to memory of 228 N/A C:\ProgramData\hkcmd\hc.exe C:\Windows\SysWOW64\svchost.exe
PID 1340 wrote to memory of 228 N/A C:\ProgramData\hkcmd\hc.exe C:\Windows\SysWOW64\svchost.exe
PID 1340 wrote to memory of 228 N/A C:\ProgramData\hkcmd\hc.exe C:\Windows\SysWOW64\svchost.exe
PID 1340 wrote to memory of 228 N/A C:\ProgramData\hkcmd\hc.exe C:\Windows\SysWOW64\svchost.exe
PID 1340 wrote to memory of 228 N/A C:\ProgramData\hkcmd\hc.exe C:\Windows\SysWOW64\svchost.exe
PID 1340 wrote to memory of 228 N/A C:\ProgramData\hkcmd\hc.exe C:\Windows\SysWOW64\svchost.exe
PID 1340 wrote to memory of 228 N/A C:\ProgramData\hkcmd\hc.exe C:\Windows\SysWOW64\svchost.exe
PID 228 wrote to memory of 4604 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 228 wrote to memory of 4604 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 228 wrote to memory of 4604 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 228 wrote to memory of 4604 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 228 wrote to memory of 4604 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 228 wrote to memory of 4604 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 228 wrote to memory of 4604 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 228 wrote to memory of 4604 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\hc.exe

C:\Users\Admin\AppData\Local\Temp\hc.exe

C:\ProgramData\hkcmd\hc.exe

"C:\ProgramData\hkcmd\hc.exe" 100 60

C:\ProgramData\hkcmd\hc.exe

"C:\ProgramData\hkcmd\hc.exe" 200 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 228

Network

Country Destination Domain Proto
US 8.8.8.8:53 222.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 msn.catalogipdate.com udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.104:443 www.bing.com tcp
US 8.8.8.8:53 104.61.62.23.in-addr.arpa udp
N/A 127.0.0.1:12345 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp
N/A 127.0.0.1:12345 tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp
US 8.8.8.8:53 msn.catalogipdate.com udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp

Files

C:\Users\Admin\AppData\Local\Temp\hc.exe

MD5 23f2c3dbdb65c898a11e7f4ddc598a10
SHA1 cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c
SHA256 a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677
SHA512 0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

memory/852-4-0x0000000000FB0000-0x0000000000FEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hccutils.DLL.res

MD5 81693011cb717a15ad364a7344f8ffcf
SHA1 0e26b1b58c3a8f978874fd86762af11208999fb3
SHA256 01d5786b31dbb6855f089ae4569c40d5b99b4aed9462053358572898d797b6aa
SHA512 10ff4a7af7c8bd30b696ca1d2c9d3f7d29ed9a79f45264a0442d64cbc81a6e0945842c24d44e97a96a8db3686d9e00f9d0f73799e90620a74ed6ba7b58dded53

memory/60-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/60-10-0x0000000000410000-0x0000000000411000-memory.dmp

memory/60-12-0x0000000001F60000-0x0000000001F8D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hccutils.dll

MD5 1dd363b3564929d0bc336571dec74cf0
SHA1 21c953538bba7749bcc3ce049b2df9df396bc2b7
SHA256 88ab31fb0d56ffe438f21fcce81a1df35554236ef2152c34b91bf5247ab35b7e
SHA512 0ba2583a5ea404cd4f6d5fb9b62ce590eb6244435d3a14586423e9ee7c116047fbb68d588f3e1ecee76d9dd7285805676f5f023baabe4bbdec34a5e754d9a70a

memory/4116-30-0x0000000002190000-0x00000000021BD000-memory.dmp

memory/4116-31-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1340-35-0x0000000000C60000-0x0000000000C8D000-memory.dmp

memory/1340-34-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1340-37-0x0000000000C60000-0x0000000000C8D000-memory.dmp

memory/228-36-0x0000000000EB0000-0x0000000000EDD000-memory.dmp

memory/228-50-0x0000000000EB0000-0x0000000000EDD000-memory.dmp

memory/228-53-0x0000000000EB0000-0x0000000000EDD000-memory.dmp

memory/60-54-0x0000000001F60000-0x0000000001F8D000-memory.dmp

memory/228-58-0x0000000000EB0000-0x0000000000EDD000-memory.dmp

memory/228-57-0x0000000000EB0000-0x0000000000EDD000-memory.dmp

memory/228-56-0x0000000000EB0000-0x0000000000EDD000-memory.dmp

memory/228-55-0x0000000000EB0000-0x0000000000EDD000-memory.dmp

memory/228-52-0x0000000000EB0000-0x0000000000EDD000-memory.dmp

memory/228-49-0x0000000000EB0000-0x0000000000EDD000-memory.dmp

memory/228-38-0x0000000000EB0000-0x0000000000EDD000-memory.dmp

memory/228-51-0x0000000000890000-0x0000000000891000-memory.dmp

memory/228-61-0x0000000000EB0000-0x0000000000EDD000-memory.dmp

memory/4116-62-0x0000000002190000-0x00000000021BD000-memory.dmp

memory/4604-63-0x00000000025D0000-0x00000000025FD000-memory.dmp

memory/4604-66-0x00000000025D0000-0x00000000025FD000-memory.dmp

memory/4604-65-0x00000000025D0000-0x00000000025FD000-memory.dmp

memory/4604-64-0x0000000000C40000-0x0000000000C41000-memory.dmp

memory/228-67-0x0000000000EB0000-0x0000000000EDD000-memory.dmp

memory/4604-69-0x0000000000A90000-0x0000000000A91000-memory.dmp

memory/228-74-0x0000000000EB0000-0x0000000000EDD000-memory.dmp