Malware Analysis Report

2024-08-06 15:23

Sample ID 240520-r617bafb4s
Target 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118
SHA256 e4d47d83fb4fbdff2fcbd92cb545e52b8ab90f0b7e3a97cc922484ff99151c2b
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e4d47d83fb4fbdff2fcbd92cb545e52b8ab90f0b7e3a97cc922484ff99151c2b

Threat Level: Known bad

The file 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Loads dropped DLL

Executes dropped EXE

Drops desktop.ini file(s)

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

NTFS ADS

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-20 14:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 14:49

Reported

2024-05-20 14:51

Platform

win7-20240221-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1740 set thread context of 2508 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Service\ddpsv.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
File opened for modification C:\Program Files (x86)\DDP Service\ddpsv.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1740 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1740 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1740 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1740 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1740 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1740 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1740 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1740 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1740 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA026.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA323.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
CH 91.192.100.26:8017 tcp
CH 91.192.100.26:8017 tcp
CH 91.192.100.26:8017 tcp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
CH 91.192.100.26:8017 tcp
CH 91.192.100.26:8017 tcp
CH 91.192.100.26:8017 tcp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
CH 91.192.100.26:8017 tcp
CH 91.192.100.26:8017 tcp
CH 91.192.100.26:8017 tcp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
CH 91.192.100.26:8017 tcp
CH 91.192.100.26:8017 tcp
CH 91.192.100.26:8017 tcp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
CH 91.192.100.26:8017 tcp
CH 91.192.100.26:8017 tcp
CH 91.192.100.26:8017 tcp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp

Files

memory/1740-0-0x0000000074131000-0x0000000074132000-memory.dmp

memory/1740-1-0x0000000074130000-0x00000000746DB000-memory.dmp

memory/1740-2-0x0000000074130000-0x00000000746DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5 5fa949797f79334bc295b2283eeb8b49
SHA1 7d69f9b7592a7d2eaa2cdc401395c531584475a6
SHA256 e4d47d83fb4fbdff2fcbd92cb545e52b8ab90f0b7e3a97cc922484ff99151c2b
SHA512 b2c84ad267d4a79c89bcb964a536cfdaaa28a330e7081886b614fcb46435c6e0d80c375e642b99a6f109b996d2c5cd32ae0c883deb354ab01e6108416ba393c9

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 2e5f1cf69f92392f8829fc9c9263ae9b
SHA1 97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA256 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512 f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

memory/2508-26-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2508-28-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2508-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2508-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2508-30-0x0000000074130000-0x00000000746DB000-memory.dmp

memory/2508-23-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2508-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2508-31-0x0000000074130000-0x00000000746DB000-memory.dmp

memory/2508-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2508-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA026.tmp

MD5 24de2170a8dce23ab327cf07c00cd17e
SHA1 c759a98d8447e9674d0707da64cd97204720c0ae
SHA256 fa98fbb5ddd9fcbcdc76196d8dc524602815d90d244eb43f7f983a829b7d3b3d
SHA512 83ea8711513efbd1a4045b27fcd916cab7c9b6ab3e519500db114287b8a42103f44142e1c350f1f7a0bb76d291bfc838834d423338a23a30ff2f15066ff87d2b

C:\Users\Admin\AppData\Local\Temp\tmpA323.tmp

MD5 93d357e6194c8eb8d0616a9f592cc4bf
SHA1 5cc3a3d95d82cb88f65cb6dc6c188595fa272808
SHA256 a18de0ef2102d2546c7afd07ad1d7a071a0e59aff0868cf3937a145f24feb713
SHA512 4df079387f6a76e0deb96ab4c11f6cffa62a8b42dc4970e885dab10351fade2d9e933663c141b76409657f85f1bf9dbb533d92dce52dc62598aafc4793743f7f

memory/1740-39-0x0000000074130000-0x00000000746DB000-memory.dmp

memory/2508-40-0x0000000074130000-0x00000000746DB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 14:49

Reported

2024-05-20 14:51

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe" C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 208 set thread context of 1968 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DPI Subsystem\dpiss.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
File opened for modification C:\Program Files (x86)\DPI Subsystem\dpiss.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 208 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4768 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4768 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 208 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 208 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 208 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 208 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 208 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 208 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 208 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 208 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1968 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4D07.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4D65.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
CH 91.192.100.26:8017 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
CH 91.192.100.26:8017 tcp
CH 91.192.100.26:8017 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
CH 91.192.100.26:8017 tcp
CH 91.192.100.26:8017 tcp
CH 91.192.100.26:8017 tcp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
CH 91.192.100.26:8017 tcp
CH 91.192.100.26:8017 tcp
CH 91.192.100.26:8017 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
CH 91.192.100.26:8017 tcp
CH 91.192.100.26:8017 tcp
CH 91.192.100.26:8017 tcp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
US 8.8.4.4:53 nanaaugust.ddns.net udp
US 8.8.8.8:53 nanaaugust.ddns.net udp
CH 91.192.100.26:8017 tcp
CH 91.192.100.26:8017 tcp

Files

memory/208-0-0x0000000075032000-0x0000000075033000-memory.dmp

memory/208-1-0x0000000075030000-0x00000000755E1000-memory.dmp

memory/208-2-0x0000000075030000-0x00000000755E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5 5fa949797f79334bc295b2283eeb8b49
SHA1 7d69f9b7592a7d2eaa2cdc401395c531584475a6
SHA256 e4d47d83fb4fbdff2fcbd92cb545e52b8ab90f0b7e3a97cc922484ff99151c2b
SHA512 b2c84ad267d4a79c89bcb964a536cfdaaa28a330e7081886b614fcb46435c6e0d80c375e642b99a6f109b996d2c5cd32ae0c883deb354ab01e6108416ba393c9

memory/1968-12-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 84c42d0f2c1ae761bef884638bc1eacd
SHA1 4353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256 331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA512 43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

memory/1968-15-0x0000000075030000-0x00000000755E1000-memory.dmp

memory/1968-16-0x0000000075030000-0x00000000755E1000-memory.dmp

memory/1968-17-0x0000000075030000-0x00000000755E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4D07.tmp

MD5 24de2170a8dce23ab327cf07c00cd17e
SHA1 c759a98d8447e9674d0707da64cd97204720c0ae
SHA256 fa98fbb5ddd9fcbcdc76196d8dc524602815d90d244eb43f7f983a829b7d3b3d
SHA512 83ea8711513efbd1a4045b27fcd916cab7c9b6ab3e519500db114287b8a42103f44142e1c350f1f7a0bb76d291bfc838834d423338a23a30ff2f15066ff87d2b

C:\Users\Admin\AppData\Local\Temp\tmp4D65.tmp

MD5 5fea24e883e06e4df6d240dc72abf2c5
SHA1 d778bf0f436141e02df4b421e8188abdcc9a84a4
SHA256 e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66
SHA512 15afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924

memory/1968-25-0x0000000075030000-0x00000000755E1000-memory.dmp

memory/208-27-0x0000000075030000-0x00000000755E1000-memory.dmp

memory/1968-28-0x0000000075030000-0x00000000755E1000-memory.dmp

memory/1968-29-0x0000000075030000-0x00000000755E1000-memory.dmp