Analysis Overview
SHA256
2528988692c3f3020f4b740d1f46e7e952d668eea0880c5f44d98a7be06df9c7
Threat Level: Known bad
The file 4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Modifies Installed Components in the registry
Adds policy Run key to start application
ASPack v2.12-2.42
Loads dropped DLL
Deletes itself
Executes dropped EXE
Modifies WinLogon
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Runs net.exe
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-17 10:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-17 10:02
Reported
2024-05-17 10:04
Platform
win7-20240221-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" | C:\Windows\services.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" | C:\Windows\services.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ | C:\Windows\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" | C:\Windows\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\fservice.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fservice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ | C:\Windows\services.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Windows\services.exe | N/A |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fservice.exe | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\SysWOW64\winkey.dll | C:\Windows\services.exe | N/A |
| File created | C:\Windows\SysWOW64\reginv.dll | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system\sservice.exe | C:\Windows\services.exe | N/A |
| File created | C:\Windows\system\sservice.exe | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\sservice.exe | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| File created | C:\Windows\services.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\services.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\system\sservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\system\sservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe"
C:\Windows\SysWOW64\fservice.exe
C:\Windows\system32\fservice.exe
C:\Windows\services.exe
C:\Windows\services.exe -XP
C:\Windows\SysWOW64\NET.exe
NET STOP srservice
C:\Windows\SysWOW64\NET.exe
NET STOP navapsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP navapsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP srservice
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | aol.com | udp |
| US | 8.8.8.8:53 | mx-aol.mail.gm0.yahoodns.net | udp |
| US | 67.195.228.84:25 | mx-aol.mail.gm0.yahoodns.net | tcp |
Files
memory/2856-0-0x00000000002E0000-0x00000000002E1000-memory.dmp
\Windows\SysWOW64\fservice.exe
| MD5 | 4f7532fdcb9a4429eb0ad8aed59953b9 |
| SHA1 | b248d29e4c42cc39544b7b7d72eadf90fbc84ad5 |
| SHA256 | 2528988692c3f3020f4b740d1f46e7e952d668eea0880c5f44d98a7be06df9c7 |
| SHA512 | f525703bd1cce6387202ddc7dec69789c9bfe79f04f6396e130c10d03ebb9e61e54a52876df4b8dd20cd56e9a1a45e5d6618515ed8e6ae584efbab8e50eba1a2 |
memory/3040-12-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2576-23-0x0000000000260000-0x0000000000261000-memory.dmp
\Windows\SysWOW64\winkey.dll
| MD5 | 36234e0b8df76ea2c282bba1a1b45748 |
| SHA1 | 34880e089a5d5c42bce1622195522b431668206f |
| SHA256 | d610cecdc353cb4a26e7d158c7ea0f78b573b57f9ac8ffc20832f89a7eac5ada |
| SHA512 | cecae4a3e3c890078c01764903da6495d38eb8bcbe689b54607fe4d2029853752187d174690218041b6f0059749bb6ab344e751436c9b8d675e3ee19eced9222 |
memory/2576-25-0x0000000010000000-0x000000001000B000-memory.dmp
\Windows\SysWOW64\reginv.dll
| MD5 | efe1a51eac2e377a23fc11edf9be91d6 |
| SHA1 | 1576d771c4caf4a04b25929fa0f0b06dadc87511 |
| SHA256 | 3320ef352ba97cc4632de11585ac1657e3b279d481465a04656dd230fe65deb5 |
| SHA512 | c8926141178eac63dda8258d71e4d534d0dcb21d9a94d7ab89b3241caa5e25740c845f420d74cfdabc5606296e9c59a75cc74e84005e4dc27dfbe098ea78d6b4 |
memory/3040-34-0x0000000010000000-0x0000000010008000-memory.dmp
memory/2576-33-0x0000000000350000-0x0000000000358000-memory.dmp
memory/3040-35-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/2856-38-0x0000000010000000-0x0000000010008000-memory.dmp
memory/3040-37-0x0000000010000000-0x0000000010008000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe.bat
| MD5 | a237ddc789a20a5a5f5e029eaa22d644 |
| SHA1 | 36bc678f5328743e271e99ccc19abfcf5aa1987a |
| SHA256 | 86179efd762b54bd37d4d6dff106195ecca0ff7b91f36dcf1ac148afc0ff43c8 |
| SHA512 | d5e639182380e88617cae5d160d1e41d108cea422f754b12eb41c161723e5e30d38700da5ca7cb190aea5711bbd4fa96b2d99a9f34bae01036ce211ca4c9403d |
memory/2856-48-0x0000000010000000-0x0000000010008000-memory.dmp
memory/2856-47-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/2576-51-0x0000000010000000-0x000000001000B000-memory.dmp
memory/2576-50-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/2576-52-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2576-53-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/2576-55-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/2576-57-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/2576-59-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/2576-61-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/2576-63-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/2576-65-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/2576-67-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/2576-69-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/2576-71-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/2576-73-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/2576-75-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/2576-77-0x0000000000400000-0x00000000005F4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-17 10:02
Reported
2024-05-17 10:04
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
100s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" | C:\Windows\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" | C:\Windows\services.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ | C:\Windows\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" | C:\Windows\services.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\fservice.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fservice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ | C:\Windows\services.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\SysWOW64\winkey.dll | C:\Windows\services.exe | N/A |
| File created | C:\Windows\SysWOW64\reginv.dll | C:\Windows\services.exe | N/A |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Windows\services.exe | N/A |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fservice.exe | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system\sservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\system\sservice.exe | C:\Windows\services.exe | N/A |
| File created | C:\Windows\system\sservice.exe | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\sservice.exe | C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe | N/A |
| File created | C:\Windows\services.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\services.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\system\sservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe"
C:\Windows\SysWOW64\fservice.exe
C:\Windows\system32\fservice.exe
C:\Windows\services.exe
C:\Windows\services.exe -XP
C:\Windows\SysWOW64\NET.exe
NET STOP srservice
C:\Windows\SysWOW64\NET.exe
NET STOP navapsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP srservice
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP navapsvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | aol.com | udp |
| US | 8.8.8.8:53 | mx-aol.mail.gm0.yahoodns.net | udp |
| US | 67.195.228.86:25 | mx-aol.mail.gm0.yahoodns.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.90:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.61.62.23.in-addr.arpa | udp |
Files
memory/2112-0-0x0000000000710000-0x0000000000711000-memory.dmp
C:\Windows\SysWOW64\fservice.exe
| MD5 | 4f7532fdcb9a4429eb0ad8aed59953b9 |
| SHA1 | b248d29e4c42cc39544b7b7d72eadf90fbc84ad5 |
| SHA256 | 2528988692c3f3020f4b740d1f46e7e952d668eea0880c5f44d98a7be06df9c7 |
| SHA512 | f525703bd1cce6387202ddc7dec69789c9bfe79f04f6396e130c10d03ebb9e61e54a52876df4b8dd20cd56e9a1a45e5d6618515ed8e6ae584efbab8e50eba1a2 |
memory/4448-8-0x00000000007E0000-0x00000000007E1000-memory.dmp
memory/4584-17-0x0000000002570000-0x0000000002571000-memory.dmp
C:\Windows\SysWOW64\winkey.dll
| MD5 | 36234e0b8df76ea2c282bba1a1b45748 |
| SHA1 | 34880e089a5d5c42bce1622195522b431668206f |
| SHA256 | d610cecdc353cb4a26e7d158c7ea0f78b573b57f9ac8ffc20832f89a7eac5ada |
| SHA512 | cecae4a3e3c890078c01764903da6495d38eb8bcbe689b54607fe4d2029853752187d174690218041b6f0059749bb6ab344e751436c9b8d675e3ee19eced9222 |
memory/4584-21-0x0000000010000000-0x000000001000B000-memory.dmp
C:\Windows\SysWOW64\reginv.dll
| MD5 | efe1a51eac2e377a23fc11edf9be91d6 |
| SHA1 | 1576d771c4caf4a04b25929fa0f0b06dadc87511 |
| SHA256 | 3320ef352ba97cc4632de11585ac1657e3b279d481465a04656dd230fe65deb5 |
| SHA512 | c8926141178eac63dda8258d71e4d534d0dcb21d9a94d7ab89b3241caa5e25740c845f420d74cfdabc5606296e9c59a75cc74e84005e4dc27dfbe098ea78d6b4 |
memory/4584-29-0x00000000025E0000-0x00000000025E8000-memory.dmp
memory/4584-30-0x00000000025E1000-0x00000000025E2000-memory.dmp
memory/4448-33-0x0000000010000000-0x0000000010008000-memory.dmp
memory/4448-35-0x0000000010000000-0x0000000010008000-memory.dmp
memory/2112-37-0x0000000010000000-0x0000000010008000-memory.dmp
memory/4448-34-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/2112-41-0x0000000010000000-0x0000000010008000-memory.dmp
memory/2112-40-0x0000000000400000-0x00000000005F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4f7532fdcb9a4429eb0ad8aed59953b9_JaffaCakes118.exe.bat
| MD5 | a237ddc789a20a5a5f5e029eaa22d644 |
| SHA1 | 36bc678f5328743e271e99ccc19abfcf5aa1987a |
| SHA256 | 86179efd762b54bd37d4d6dff106195ecca0ff7b91f36dcf1ac148afc0ff43c8 |
| SHA512 | d5e639182380e88617cae5d160d1e41d108cea422f754b12eb41c161723e5e30d38700da5ca7cb190aea5711bbd4fa96b2d99a9f34bae01036ce211ca4c9403d |
memory/4584-44-0x0000000010000000-0x000000001000B000-memory.dmp
memory/4584-43-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/4584-45-0x0000000002570000-0x0000000002571000-memory.dmp
memory/4584-46-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/4584-48-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/4584-50-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/4584-52-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/4584-54-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/4584-56-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/4584-58-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/4584-60-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/4584-62-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/4584-64-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/4584-66-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/4584-68-0x0000000000400000-0x00000000005F4000-memory.dmp
memory/4584-70-0x0000000000400000-0x00000000005F4000-memory.dmp