Malware Analysis Report

2025-06-16 03:39

Sample ID 240526-l6ytasfc96
Target 7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118
SHA256 58f516bca2180b9c4997a83fc135fb69acc4915f262633d4791bda7f601d351b
Tags
bootkit discovery evasion persistence spyware stealer trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

58f516bca2180b9c4997a83fc135fb69acc4915f262633d4791bda7f601d351b

Threat Level: Likely malicious

The file 7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery evasion persistence spyware stealer trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Reads user/profile data of web browsers

Deletes itself

Identifies Wine through registry keys

Looks up external IP address via web service

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 10:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 10:09

Reported

2024-05-26 10:12

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C ping 127.0.0.1 -n 3 > nul &del "C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 138.124.183.68:88 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 52.48.204.56:80 checkip.amazonaws.com tcp
US 8.8.8.8:53 whois.iana.org udp
US 192.0.32.59:43 whois.iana.org tcp
US 8.8.8.8:53 56.204.48.52.in-addr.arpa udp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 WHOIS.LACNIC.NET udp
BR 200.3.14.149:43 WHOIS.LACNIC.NET tcp
US 8.8.8.8:53 59.32.0.192.in-addr.arpa udp
US 8.8.8.8:53 www.geoplugin.net udp
NL 178.237.33.50:80 www.geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 149.14.3.200.in-addr.arpa udp
US 138.124.183.68:88 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

memory/1632-0-0x0000000000EB0000-0x00000000013F4000-memory.dmp

memory/1632-2-0x0000000000EB0000-0x00000000013F4000-memory.dmp

memory/1632-3-0x0000000000EB0000-0x00000000013F4000-memory.dmp

memory/1632-4-0x0000000005890000-0x0000000005EA8000-memory.dmp

memory/1632-5-0x0000000002FA0000-0x0000000002FB2000-memory.dmp

memory/1632-6-0x00000000051D0000-0x000000000520C000-memory.dmp

memory/1632-7-0x0000000005210000-0x000000000525C000-memory.dmp

memory/1632-8-0x0000000005450000-0x000000000555A000-memory.dmp

memory/1632-11-0x0000000006050000-0x00000000060E2000-memory.dmp

memory/1632-12-0x00000000066A0000-0x0000000006C44000-memory.dmp

memory/1632-13-0x0000000000EB0000-0x00000000013F4000-memory.dmp

memory/1632-14-0x0000000006E20000-0x0000000006FE2000-memory.dmp

memory/1632-15-0x0000000007520000-0x0000000007A4C000-memory.dmp

memory/1632-16-0x0000000006D80000-0x0000000006DE6000-memory.dmp

memory/1632-17-0x0000000008560000-0x00000000085B0000-memory.dmp

memory/1632-23-0x0000000008650000-0x00000000086EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5294.tmp

MD5 dc1ca475cc21e0e5df007b6d905d6af3
SHA1 a75843acac08b722db94b145b32872ba499229fc
SHA256 a71fcca8bfe2a274b9607c18904a583a5d63233977dc74fc4eaafe91666417f2
SHA512 73a4aab577c6f6e9b7e694c460d69f891ab27826f1bf14c6d433d0b2878e68cf5a87cd8330d657bb649af65a06c2cbb04d10ee791b7ebde22d68424cb3c82b2e

C:\Users\Admin\AppData\Local\Temp\tmp5295.tmp

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

C:\Users\Admin\AppData\Local\Temp\tmp52BA.tmp

MD5 baa675ce4124ca3fc5033e2a2c53dbd1
SHA1 2dcc5513270c723fff6148dd2f8196081f83bb16
SHA256 22cc36f18e7df98e3c58cd6fce492688970d4a5d1fb1865e5749b76138cdd9f4
SHA512 047d4d9a7d415d5a4814acc42f9148c0de7ec34c5d53cc90cdcbb218406b343a3c5a1f5ec4cc3b8ccca6b7f08ed0115b7e568a5141e1335c2a2a6ed2682b45ec

C:\Users\Admin\AppData\Local\Temp\tmp5325.tmp

MD5 bb48f715ba51aae047150fed114e00a7
SHA1 de6377da50f795b3ea85584325a8703bc011ba25
SHA256 e59452d6d72da0fbc1f7ea6516bb273cba0d9a0da4795271660021d6419b9487
SHA512 23493be3e403a4344769f32425665772e07632f73202ae503a4a17e152d4319b1196b317e1c664983b612e307811ecc9a3c112f456f0b5cb070441c24119e365

C:\Users\Admin\AppData\Local\Temp\tmp5326.tmp

MD5 5be7f6f434724dfcc01e8b2b0e753bbe
SHA1 ef1078290de6b5700ff6e804a79beba16c99ba3e
SHA256 4064b300ca1a67a3086e1adb18001c0017384b8f84ff4c0e693858889cef2196
SHA512 3b470c3ad5be3dd7721548021a818034584bbd88237b1710ce52ac67e04126fff4592c02f5868ebda72f662ec8c5f7fc4d0a458f49fe5eb47e024a5c50935ee2

C:\Users\Admin\AppData\Local\Temp\tmp533C.tmp

MD5 13884ff020a99ee23a59f4f9f855f3e3
SHA1 d69d9c491ff8c42ed1bb05693edbfa6aa571cb7e
SHA256 3efa47d5a493132e6f00afef7ee29e583f10d1022f98b99d021498e968eb9d9c
SHA512 2ab0190602ed47c63c0208ef04ba83fec765e47db14f114af7b5a02fdcdaed6d0ee3f7291ea5102d4dd8ae5e859063fc3c9f52c94b6bf23735e0f780b8c001de

memory/1632-245-0x0000000000EB0000-0x00000000013F4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 10:09

Reported

2024-05-26 10:11

Platform

win7-20240508-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C ping 127.0.0.1 -n 3 > nul &del "C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 3

Network

Country Destination Domain Proto
US 138.124.183.68:88 tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 apps.identrust.com udp
BE 23.14.90.91:80 apps.identrust.com tcp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 52.48.204.56:80 checkip.amazonaws.com tcp
US 8.8.8.8:53 whois.iana.org udp
US 192.0.47.59:43 whois.iana.org tcp
US 8.8.8.8:53 WHOIS.LACNIC.NET udp
UY 190.112.52.16:43 WHOIS.LACNIC.NET tcp
US 8.8.8.8:53 www.geoplugin.net udp
NL 178.237.33.50:80 www.geoplugin.net tcp
US 192.0.47.59:43 whois.iana.org tcp
UY 190.112.52.16:43 WHOIS.LACNIC.NET tcp
US 138.124.183.68:88 tcp

Files

memory/2928-0-0x00000000010C0000-0x0000000001604000-memory.dmp

memory/2928-2-0x00000000010C0000-0x0000000001604000-memory.dmp

memory/2928-3-0x00000000010C0000-0x0000000001604000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8B03.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar9755.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\Temp\tmpA6E0.tmp

MD5 dfedb72694a88fbddf2c758fdb57d971
SHA1 2487723361513e7883330c4f2bcaaf8b2bc13713
SHA256 722c47194263b07adaec951eb4a0d82addb080d22831406d23ba12682cabccad
SHA512 dbeca37b3e5017d81fd717fe76bb2a84d0d03d6544911bf30646b85b16a058ffd690fa866e169a9228b21fc0dcbe3f4419383cb7080279e3963133d17cd9f49e

C:\Users\Admin\AppData\Local\Temp\tmpA6E1.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpA6F7.tmp

MD5 5f914a013176785e26d70d07234c605c
SHA1 5336e9ed6aeb682b46a0472f4f80ec24c4504210
SHA256 72b56bbce7e5e07702bf46a002c75cb3a8994fd390b190b989628d387d21975b
SHA512 103eff502bec0df1a36bd19a97ca1d10cc34da2183480fe146434ec916020011c8af003b66ab5f6f4886e95b21749be8d8c3c3ebf3ae1b2e5c6db216e8b4e1b2

memory/2928-205-0x00000000010C0000-0x0000000001604000-memory.dmp