Malware Analysis Report

2024-08-06 15:24

Sample ID 240521-jczsdsdb6t
Target 6282458b94ca8bc08801d124c4224ff1_JaffaCakes118
SHA256 de01b6a27d4eba814fe3ce5084cfc23fdeeb47d50f8bec5a973578e66b768a48
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de01b6a27d4eba814fe3ce5084cfc23fdeeb47d50f8bec5a973578e66b768a48

Threat Level: Known bad

The file 6282458b94ca8bc08801d124c4224ff1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

NanoCore

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-21 07:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 07:32

Reported

2024-05-21 08:29

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dfghjklkjhrtyu.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\23757645\\xrfq.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\23757645\\smqujemen.bcs" C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4192 set thread context of 1524 N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3808 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3808 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3808 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 640 wrote to memory of 4192 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe
PID 640 wrote to memory of 4192 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe
PID 640 wrote to memory of 4192 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe
PID 4192 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4192 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4192 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4192 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4192 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 3280 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1524 wrote to memory of 3280 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1524 wrote to memory of 3280 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23757645\csweath.vbs"

C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe

"C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe" smqujemen.bcs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8ED2.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 25.69.169.192.in-addr.arpa udp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 249.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\23757645\csweath.vbs

MD5 7f52859621eeb2db44becedf97aa401b
SHA1 38f78a4a6b871d7570927f3f66fef53e56dc074a
SHA256 dda55d184d2023c6cb2e2b289a682e52dfdb6d698de2d09ebb30a7855f3d0091
SHA512 9e24e079ba2f7ab36f3247b7cfed495a3e523e3e83e7f97fd48de4c76072c4a878585a3c1ecd0e589ab5b8ce0b8c1c3868b69b028a1e18a1d26479cda0125371

C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Local\Temp\23757645\gfujvaac.txt

MD5 22a0cddb35ab13b5829b2db5178fdeb5
SHA1 150abec46b7972d19668d7470cdfffa017e5e6b7
SHA256 39436dfc408cf317d0a69165d657c80eedbe1285f8f0a949330a1270951315f4
SHA512 ed87fb0fd0a99c815117935ab2ae632564835e0a5d8cce83d5309896ff0af03f8af82bb6fc027cfceee07f9aa9c357e4b786347fd36844f40f135ed623302192

memory/1524-148-0x0000000000FC0000-0x0000000001FC0000-memory.dmp

memory/1524-149-0x0000000000FC0000-0x0000000000FF8000-memory.dmp

memory/1524-150-0x000000000DB60000-0x000000000E104000-memory.dmp

memory/1524-151-0x000000000D650000-0x000000000D6E2000-memory.dmp

memory/1524-152-0x000000000D6F0000-0x000000000D78C000-memory.dmp

memory/1524-153-0x000000000D5D0000-0x000000000D5DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8ED2.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

memory/1524-158-0x000000000D810000-0x000000000D81A000-memory.dmp

memory/1524-159-0x000000000E6D0000-0x000000000E6EE000-memory.dmp

memory/1524-160-0x000000000DB50000-0x000000000DB5A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 07:32

Reported

2024-05-21 08:30

Platform

win7-20240508-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dfghjklkjhrtyu.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\23757645\\xrfq.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\23757645\\smqujemen.bcs" C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2788 set thread context of 372 N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2348 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2348 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2348 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1932 wrote to memory of 2788 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe
PID 1932 wrote to memory of 2788 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe
PID 1932 wrote to memory of 2788 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe
PID 1932 wrote to memory of 2788 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe
PID 2788 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2788 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2788 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2788 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2788 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2788 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2788 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2788 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2788 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 372 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 372 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 372 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 372 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23757645\csweath.vbs"

C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe

"C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe" smqujemen.bcs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "LAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp50BF.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp
US 8.8.8.8:53 kartelicemoney.duckdns.org udp
US 192.169.69.25:59712 kartelicemoney.duckdns.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\23757645\csweath.vbs

MD5 7f52859621eeb2db44becedf97aa401b
SHA1 38f78a4a6b871d7570927f3f66fef53e56dc074a
SHA256 dda55d184d2023c6cb2e2b289a682e52dfdb6d698de2d09ebb30a7855f3d0091
SHA512 9e24e079ba2f7ab36f3247b7cfed495a3e523e3e83e7f97fd48de4c76072c4a878585a3c1ecd0e589ab5b8ce0b8c1c3868b69b028a1e18a1d26479cda0125371

C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Local\Temp\23757645\gfujvaac.txt

MD5 22a0cddb35ab13b5829b2db5178fdeb5
SHA1 150abec46b7972d19668d7470cdfffa017e5e6b7
SHA256 39436dfc408cf317d0a69165d657c80eedbe1285f8f0a949330a1270951315f4
SHA512 ed87fb0fd0a99c815117935ab2ae632564835e0a5d8cce83d5309896ff0af03f8af82bb6fc027cfceee07f9aa9c357e4b786347fd36844f40f135ed623302192

memory/372-149-0x0000000000B20000-0x0000000001B20000-memory.dmp

memory/372-151-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/372-152-0x0000000000B20000-0x0000000001B20000-memory.dmp

memory/372-154-0x0000000000B20000-0x0000000001B20000-memory.dmp

memory/372-153-0x0000000000B20000-0x0000000001B20000-memory.dmp

memory/372-155-0x0000000000B20000-0x0000000000B58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp50BF.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

memory/372-160-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/372-161-0x0000000000400000-0x000000000041E000-memory.dmp

memory/372-162-0x0000000000460000-0x000000000046A000-memory.dmp