Malware Analysis Report

2024-11-13 18:51

Sample ID 240520-a2wycsbg8w
Target 5c51795853e77f806174a130eaf39694_JaffaCakes118
SHA256 181e4423a1bec894471cf972cac0f4d297838621f97a3fdba1392534919b9eac
Tags
remcos persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

181e4423a1bec894471cf972cac0f4d297838621f97a3fdba1392534919b9eac

Threat Level: Known bad

The file 5c51795853e77f806174a130eaf39694_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

remcos persistence rat

Remcos

Uses the VBS compiler for execution

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 00:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 00:43

Reported

2024-05-20 00:45

Platform

win7-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ยด34p5roi7ymjero = "C:\\Users\\Admin\\0p9riy6t290wueporiy'u4prhmt.exe" C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1936 set thread context of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1936 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1936 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1936 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1936 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1936 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1936 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1936 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1936 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1936 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1936 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 casillas.hicam.net udp
US 8.8.8.8:53 casillasmx.chickenkiller.com udp
US 8.8.8.8:53 casillas45.hopto.org udp
US 8.8.8.8:53 casillas.libfoobar.so udp
US 8.8.8.8:53 du4alr0ute.sendsmtp.com udp
MX 187.155.77.154:2404 du4alr0ute.sendsmtp.com tcp
US 8.8.8.8:53 settings.wifizone.org udp
US 8.8.8.8:53 wifi.con-ip.com udp
MX 187.155.58.99:2404 wifi.con-ip.com tcp
US 8.8.8.8:53 rsaupdatr.jumpingcrab.com udp
N/A 127.0.0.2:2404 tcp
US 8.8.8.8:53 du4alr0ute.sendsmtp.com udp
MX 187.155.77.154:2404 du4alr0ute.sendsmtp.com tcp
MX 187.155.58.99:2404 wifi.con-ip.com tcp
N/A 127.0.0.2:2404 tcp
US 8.8.8.8:53 du4alr0ute.sendsmtp.com udp
MX 187.155.77.154:2404 du4alr0ute.sendsmtp.com tcp
MX 187.155.58.99:2404 wifi.con-ip.com tcp
N/A 127.0.0.2:2404 tcp
US 8.8.8.8:53 du4alr0ute.sendsmtp.com udp
MX 187.155.77.154:2404 du4alr0ute.sendsmtp.com tcp

Files

memory/1936-0-0x000000007407E000-0x000000007407F000-memory.dmp

memory/1936-1-0x0000000000F50000-0x0000000000FDA000-memory.dmp

memory/1936-2-0x0000000000360000-0x0000000000396000-memory.dmp

memory/1936-3-0x0000000000240000-0x0000000000254000-memory.dmp

memory/3040-5-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1936-14-0x0000000074070000-0x000000007475E000-memory.dmp

memory/3040-20-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3040-17-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3040-15-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3040-16-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3040-12-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3040-10-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3040-9-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3040-8-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3040-7-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3040-11-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/3040-6-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1936-22-0x000000007407E000-0x000000007407F000-memory.dmp

memory/1936-23-0x0000000074070000-0x000000007475E000-memory.dmp

memory/3040-25-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Roaming\VFGRBTR\logs.dat

MD5 2025d212174039e3c75186de5d9c0205
SHA1 4bd819b2156c87c07424f579b792db7dbb5505d6
SHA256 7b94b1002eda1d3040ef828bd633fda53a0e5ed1fa41437aefacff9e2ac8355b
SHA512 2beeb5d6611bb9bd422f2c8db53593ee9dc74177d0f251a12791eb0955d99f245445ae28cafe68c5ccfa122fb9810f479e92425e1a886f18eaee0fd6d66bf610

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 00:43

Reported

2024-05-20 00:45

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ยด34p5roi7ymjero = "C:\\Users\\Admin\\0p9riy6t290wueporiy'u4prhmt.exe" C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1636 set thread context of 4516 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1636 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1636 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1636 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1636 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1636 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1636 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1636 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1636 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1636 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5c51795853e77f806174a130eaf39694_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 casillas.hicam.net udp
US 8.8.8.8:53 casillasmx.chickenkiller.com udp
US 8.8.8.8:53 casillas45.hopto.org udp
US 8.8.8.8:53 casillas.libfoobar.so udp
US 8.8.8.8:53 du4alr0ute.sendsmtp.com udp
MX 187.155.77.154:2404 du4alr0ute.sendsmtp.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 settings.wifizone.org udp
US 8.8.8.8:53 wifi.con-ip.com udp
MX 187.155.58.99:2404 wifi.con-ip.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
N/A 127.0.0.2:2404 tcp
US 8.8.8.8:53 casillas.hicam.net udp
US 8.8.8.8:53 casillasmx.chickenkiller.com udp
US 8.8.8.8:53 casillas.libfoobar.so udp
US 8.8.8.8:53 du4alr0ute.sendsmtp.com udp
MX 187.155.77.154:2404 du4alr0ute.sendsmtp.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 settings.wifizone.org udp
MX 187.155.58.99:2404 wifi.con-ip.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
N/A 127.0.0.2:2404 tcp
US 8.8.8.8:53 casillas.hicam.net udp
US 8.8.8.8:53 casillasmx.chickenkiller.com udp
US 8.8.8.8:53 casillas.libfoobar.so udp
US 8.8.8.8:53 du4alr0ute.sendsmtp.com udp
MX 187.155.77.154:2404 du4alr0ute.sendsmtp.com tcp
US 8.8.8.8:53 settings.wifizone.org udp
MX 187.155.58.99:2404 wifi.con-ip.com tcp
N/A 127.0.0.2:2404 tcp
US 8.8.8.8:53 casillas.hicam.net udp
US 8.8.8.8:53 casillasmx.chickenkiller.com udp
US 8.8.8.8:53 casillas.libfoobar.so udp
US 8.8.8.8:53 du4alr0ute.sendsmtp.com udp
MX 187.155.77.154:2404 du4alr0ute.sendsmtp.com tcp

Files

memory/1636-0-0x000000007496E000-0x000000007496F000-memory.dmp

memory/1636-1-0x00000000003F0000-0x000000000047A000-memory.dmp

memory/1636-2-0x0000000000F70000-0x0000000000FA6000-memory.dmp

memory/1636-3-0x0000000000FA0000-0x0000000000FB4000-memory.dmp

memory/1636-5-0x0000000004E70000-0x0000000004F0C000-memory.dmp

memory/4516-6-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4516-8-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4516-12-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4516-9-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1636-13-0x0000000074960000-0x0000000075110000-memory.dmp

memory/4516-14-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1636-16-0x000000007496E000-0x000000007496F000-memory.dmp

memory/1636-17-0x0000000074960000-0x0000000075110000-memory.dmp

memory/4516-19-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Roaming\VFGRBTR\logs.dat

MD5 ae6c7a354691325ae0efe85cf4e06790
SHA1 e444c17eabde96a891b969cc621c7e429293271b
SHA256 947279feac65b47b4e2d75234ada44816b19b43f65b902f26b61c556f26793ec
SHA512 531d5ed92125ffb30b9a9c4c6a8a62999496061df28cfbd5e600cf807e317b2cde0a64426b6d3b3656adb39d2d122b471cd03c4aff523e369722398a0e984097