Malware Analysis Report

2024-08-06 15:23

Sample ID 240518-n8jhhaaf64
Target 549e7f845117790309446949d7eaae7c_JaffaCakes118
SHA256 1778a255b790b18f042384c6ebb3176d3f3f0fd172d313b07242ac42b000132e
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1778a255b790b18f042384c6ebb3176d3f3f0fd172d313b07242ac42b000132e

Threat Level: Known bad

The file 549e7f845117790309446949d7eaae7c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-18 12:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 12:03

Reported

2024-05-18 12:06

Platform

win7-20240419-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Manager = "C:\\Program Files (x86)\\DOS Manager\\dosmgr.exe" C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1180 set thread context of 2904 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DOS Manager\dosmgr.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\DOS Manager\dosmgr.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1180 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 1180 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 1180 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 1180 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 1180 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 1180 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 1180 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 1180 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 1180 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 1180 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 1180 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 1180 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 2904 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XRgItgAeBZGif" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD817.tmp"

C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DOS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDA87.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DOS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDB04.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ruffella.ddns.net udp
US 184.105.237.196:1122 ruffella.ddns.net tcp
US 8.8.8.8:53 ruffella.ddns.net udp
US 184.105.237.196:1122 ruffella.ddns.net tcp
US 8.8.8.8:53 ruffella.ddns.net udp
US 184.105.237.196:1122 ruffella.ddns.net tcp
N/A 127.0.0.1:1122 tcp
N/A 127.0.0.1:1122 tcp
N/A 127.0.0.1:1122 tcp
US 8.8.8.8:53 ruffella.ddns.net udp
US 184.105.237.196:1122 ruffella.ddns.net tcp

Files

memory/1180-0-0x000000007494E000-0x000000007494F000-memory.dmp

memory/1180-1-0x00000000009B0000-0x0000000000A3E000-memory.dmp

memory/1180-2-0x0000000074940000-0x000000007502E000-memory.dmp

memory/1180-3-0x00000000001E0000-0x00000000001F8000-memory.dmp

memory/1180-4-0x000000007494E000-0x000000007494F000-memory.dmp

memory/1180-5-0x0000000074940000-0x000000007502E000-memory.dmp

memory/1180-6-0x0000000004F30000-0x0000000004F8C000-memory.dmp

memory/1180-7-0x00000000002D0000-0x00000000002D6000-memory.dmp

memory/1180-8-0x0000000000420000-0x000000000045C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD817.tmp

MD5 e700c0a6ab15f02a7b5a1012412185cd
SHA1 28c666d68ce838c122ad6ee8bbf01648b49a0679
SHA256 efc0bdb10e7fee200373d2d0c6d7437711a864a78f79f1bebfcf6b03d0ea180a
SHA512 502a8fff20e3c32152dbb6f8f41a3f3e8ae5766ef0f82268748777c854a30f5dc3de121def3fcdd45e096f5e3d42c8193b22d3dbbdd5e23663b1c3bf087c3dad

memory/2904-14-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2904-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2904-27-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2904-24-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2904-22-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2904-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2904-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2904-16-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1180-28-0x0000000074940000-0x000000007502E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDA87.tmp

MD5 3a0c75e15140bf2cfca85d7e6088eaca
SHA1 b469cb43a605342ba361122a2105d48ced8e5840
SHA256 0bc3016b5453c9c5378835547565fbafdc625e439f29ff78dce85d68fad9913f
SHA512 468f2e45cf87c9b5b7de205a4e1255d22f71d67a35f403906091d6bcfc74612f36d0f22ef7cee774094bdb218f26304211bbf91555abffc9fd7a574f3f5788de

C:\Users\Admin\AppData\Local\Temp\tmpDB04.tmp

MD5 8f5713b14cee3089852f6c8d2a7a7d57
SHA1 8bffbea05715c6434ad593cce8a2c737f80ff788
SHA256 ab3ce102242c3144f87bcbfe83984a478821cd09e62c0e5211b2ab37dde02d2c
SHA512 82bd2378c2d6bb34a1ad3f2d26bfea583fc8403691bed6668521ba3e8bc7bdbdf142f872ddbc8e5251550f47c9bbee4eb3d0d6096f80d85259082cf68a454c72

memory/2904-36-0x0000000000460000-0x000000000046A000-memory.dmp

memory/2904-37-0x0000000000890000-0x00000000008AE000-memory.dmp

memory/2904-38-0x00000000005B0000-0x00000000005BA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 12:03

Reported

2024-05-18 12:06

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsv.exe" C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3668 set thread context of 4812 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DHCP Service\dhcpsv.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\DHCP Service\dhcpsv.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3668 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3668 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3668 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3668 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 3668 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 3668 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 3668 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 3668 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 3668 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 3668 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 3668 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 3668 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 3668 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 3668 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 3668 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 3668 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 3668 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 3668 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 3668 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 3668 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe
PID 4812 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4812 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4812 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4812 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4812 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4812 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XRgItgAeBZGif" /XML "C:\Users\Admin\AppData\Local\Temp\tmp344A.tmp"

C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp39F7.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3A46.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 ruffella.ddns.net udp
US 184.105.237.196:1122 ruffella.ddns.net tcp
US 8.8.8.8:53 196.237.105.184.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ruffella.ddns.net udp
US 184.105.237.196:1122 ruffella.ddns.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 ruffella.ddns.net udp
US 184.105.237.196:1122 ruffella.ddns.net tcp
N/A 127.0.0.1:1122 tcp
N/A 127.0.0.1:1122 tcp
N/A 127.0.0.1:1122 tcp

Files

memory/3668-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

memory/3668-1-0x0000000000B70000-0x0000000000BFE000-memory.dmp

memory/3668-2-0x0000000005AC0000-0x0000000006064000-memory.dmp

memory/3668-4-0x00000000056F0000-0x000000000578C000-memory.dmp

memory/3668-3-0x00000000055B0000-0x0000000005642000-memory.dmp

memory/3668-5-0x0000000005660000-0x000000000566A000-memory.dmp

memory/3668-6-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/3668-7-0x00000000056A0000-0x00000000056B8000-memory.dmp

memory/3668-8-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

memory/3668-9-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/3668-10-0x0000000006500000-0x000000000655C000-memory.dmp

memory/3668-11-0x00000000058F0000-0x00000000058F6000-memory.dmp

memory/3668-12-0x0000000006560000-0x000000000659C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp344A.tmp

MD5 1cae09abd0d02a76a5d81546b6f599eb
SHA1 668543adabd5ee5203cda7706e90bbb34172a79c
SHA256 96c8d7881f4fccde04de2871113c04166f0fecece52fea38e0fea96ef99c3988
SHA512 df57906bb95edfb93aa08f17bfca14bb1a022a9e2a73f2973cf7ac59f1169096f6f64fa3dfd58365bbf02b00ce79af791cbc7fc83bd48b94fbb79a91d870b788

memory/4812-18-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\549e7f845117790309446949d7eaae7c_JaffaCakes118.exe.log

MD5 84e77a587d94307c0ac1357eb4d3d46f
SHA1 83cc900f9401f43d181207d64c5adba7a85edc1e
SHA256 e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512 aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

memory/3668-21-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/4812-22-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/4812-23-0x0000000074CA0000-0x0000000075450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp39F7.tmp

MD5 3a0c75e15140bf2cfca85d7e6088eaca
SHA1 b469cb43a605342ba361122a2105d48ced8e5840
SHA256 0bc3016b5453c9c5378835547565fbafdc625e439f29ff78dce85d68fad9913f
SHA512 468f2e45cf87c9b5b7de205a4e1255d22f71d67a35f403906091d6bcfc74612f36d0f22ef7cee774094bdb218f26304211bbf91555abffc9fd7a574f3f5788de

C:\Users\Admin\AppData\Local\Temp\tmp3A46.tmp

MD5 a77c223a0fc492dccd6fb9975f7a8766
SHA1 5e813636ae9b8138d78919348a5da3a6e8bd74b5
SHA256 589df7325d42409c50827600fedb240171ee4bdab85916474a37800c2382829e
SHA512 315cea8fde3c594404f5d3c96c710af1214cff6d08ccdb40634a739e108ff810e02624735a2b8c3e3720157b4a55327f317c3c23c3a681b46b9ab0f19060f7c0

memory/4812-31-0x0000000005870000-0x000000000587A000-memory.dmp

memory/4812-32-0x0000000005AA0000-0x0000000005ABE000-memory.dmp

memory/4812-33-0x00000000069C0000-0x00000000069CA000-memory.dmp

memory/4812-34-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/4812-35-0x0000000074CA0000-0x0000000075450000-memory.dmp