Malware Analysis Report

2024-08-06 15:23

Sample ID 240518-js5nksaf6w
Target 53b6adccfa92bc14352aec7289ab2950_JaffaCakes118
SHA256 c5fa6b9642b737e1318245b039002b26141092ca9d055bc99f9250c1ea91b966
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5fa6b9642b737e1318245b039002b26141092ca9d055bc99f9250c1ea91b966

Threat Level: Known bad

The file 53b6adccfa92bc14352aec7289ab2950_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

NanoCore

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-18 07:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 07:56

Reported

2024-05-18 07:59

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\khc\\fqx.exe C:\\Users\\Admin\\AppData\\Roaming\\khc\\anm-tjs" C:\Users\Admin\AppData\Roaming\khc\fqx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\khc\\fqx.exe C:\\Users\\Admin\\AppData\\Roaming\\khc\\anm-tjs" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2084 set thread context of 2940 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2084 set thread context of 1708 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Host\ddphost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\DDP Host\ddphost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4488 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 4488 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 4488 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 1776 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 1776 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 1776 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 2084 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2084 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2084 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2084 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2084 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2084 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2084 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2084 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2084 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2084 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2084 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2084 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2084 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\khc\fqx.exe

"C:\Users\Admin\AppData\Roaming\khc\fqx.exe" anm-tjs

C:\Users\Admin\AppData\Roaming\khc\fqx.exe

C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Users\Admin\AppData\Roaming\khc\ITCWJ

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

C:\Users\Admin\AppData\Roaming\khc\ITCWJ

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
ZA 154.16.63.21:8777 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
ZA 154.16.63.21:8777 tcp
ZA 154.16.63.21:8777 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
ZA 154.16.63.21:8777 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
ZA 154.16.63.21:8777 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
ZA 154.16.63.21:8777 tcp
ZA 154.16.63.21:8777 tcp
ZA 154.16.63.21:8777 tcp

Files

C:\Users\Admin\AppData\Roaming\khc\fqx.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Roaming\khc\anm-tjs

MD5 6276212be5f4f3dc51113b6bff9a4cb4
SHA1 b26e74f82e1fa09a8c332ab39505be5f6efabab0
SHA256 74f704dbe98256359a2593e0883a79152b1c61271405685384a94b12858261c8
SHA512 8b9bd50aff0c896dd587a413162054d8f887426784eaa9fbc09023ce12421cff31ba63378b45bc75f0a3e556a42d18d7c206b16605f8c870a9fce54d5b2b5ceb

C:\Users\Admin\AppData\Roaming\khc\faa.bmp

MD5 a337884da35ac1afc9cb434fd4b0cd9e
SHA1 f9d1935c8cfc8b697c40fa6da71bd950129bef0d
SHA256 d5f05d19ae26abc515edbd0b1328d73c0a43a9b577fbed041b640d49d9b0320c
SHA512 1bddd5d445ec89186043bdabe42f9817ea999eaed702dcc7fab1bec50a8e879ae0f12e706770091644912cd1e7de6f389b396c8af05f8e78a71f4005f9485e4e

C:\Users\Admin\AppData\Roaming\khc\ITCWJ

MD5 e75f7afd6c1fc384fae32f662a3c5939
SHA1 920548e0c819204b114267a1ac5198eb01d2eb43
SHA256 81b7d64bf1736312351fd0207fde3e2c23aa3231607415748ec51c01c377a17a
SHA512 ec1741b87dc453c3e0d91a77f00bf2830445176b8b4ee80722f2c4e6bb53b5a7675a2c8f70274a737023906fa325bc150d10a58688b498c03d0e6a4de1765859

memory/2940-93-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1708-95-0x0000000000D00000-0x0000000000DCC000-memory.dmp

memory/1708-98-0x0000000000D00000-0x0000000000DCC000-memory.dmp

C:\Users\Admin\AppData\Roaming\khc\spd

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 07:56

Reported

2024-05-18 07:59

Platform

win7-20231129-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\khc\\fqx.exe C:\\Users\\Admin\\AppData\\Roaming\\khc\\anm-tjs" C:\Users\Admin\AppData\Roaming\khc\fqx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsv.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\khc\\fqx.exe C:\\Users\\Admin\\AppData\\Roaming\\khc\\anm-tjs" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1504 set thread context of 2676 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 set thread context of 1620 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\TCP Service\tcpsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\TCP Service\tcpsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 2328 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 2328 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 2328 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 2328 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 2328 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 2328 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 2588 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 2588 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 2588 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 2588 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 2588 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 2588 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 2588 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Users\Admin\AppData\Roaming\khc\fqx.exe
PID 1504 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1504 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\khc\fqx.exe

"C:\Users\Admin\AppData\Roaming\khc\fqx.exe" anm-tjs

C:\Users\Admin\AppData\Roaming\khc\fqx.exe

C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Users\Admin\AppData\Roaming\khc\JILQR

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

C:\Users\Admin\AppData\Roaming\khc\JILQR

Network

Country Destination Domain Proto
ZA 154.16.63.21:8777 tcp
ZA 154.16.63.21:8777 tcp
ZA 154.16.63.21:8777 tcp
ZA 154.16.63.21:8777 tcp
ZA 154.16.63.21:8777 tcp
ZA 154.16.63.21:8777 tcp
ZA 154.16.63.21:8777 tcp
ZA 154.16.63.21:8777 tcp

Files

\Users\Admin\AppData\Roaming\khc\fqx.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Roaming\khc\anm-tjs

MD5 6276212be5f4f3dc51113b6bff9a4cb4
SHA1 b26e74f82e1fa09a8c332ab39505be5f6efabab0
SHA256 74f704dbe98256359a2593e0883a79152b1c61271405685384a94b12858261c8
SHA512 8b9bd50aff0c896dd587a413162054d8f887426784eaa9fbc09023ce12421cff31ba63378b45bc75f0a3e556a42d18d7c206b16605f8c870a9fce54d5b2b5ceb

C:\Users\Admin\AppData\Roaming\khc\faa.bmp

MD5 a337884da35ac1afc9cb434fd4b0cd9e
SHA1 f9d1935c8cfc8b697c40fa6da71bd950129bef0d
SHA256 d5f05d19ae26abc515edbd0b1328d73c0a43a9b577fbed041b640d49d9b0320c
SHA512 1bddd5d445ec89186043bdabe42f9817ea999eaed702dcc7fab1bec50a8e879ae0f12e706770091644912cd1e7de6f389b396c8af05f8e78a71f4005f9485e4e

C:\Users\Admin\AppData\Roaming\khc\JILQR

MD5 e75f7afd6c1fc384fae32f662a3c5939
SHA1 920548e0c819204b114267a1ac5198eb01d2eb43
SHA256 81b7d64bf1736312351fd0207fde3e2c23aa3231607415748ec51c01c377a17a
SHA512 ec1741b87dc453c3e0d91a77f00bf2830445176b8b4ee80722f2c4e6bb53b5a7675a2c8f70274a737023906fa325bc150d10a58688b498c03d0e6a4de1765859

memory/2676-107-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2676-109-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2676-108-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2676-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2676-104-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2676-102-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2676-100-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2676-99-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1620-113-0x00000000002D0000-0x000000000039C000-memory.dmp

memory/1620-116-0x00000000002D0000-0x000000000039C000-memory.dmp

memory/1620-117-0x00000000002D0000-0x000000000039C000-memory.dmp

memory/1620-119-0x00000000002D0000-0x000000000039C000-memory.dmp

C:\Users\Admin\AppData\Roaming\khc\spd

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff