Analysis Overview
score
9/10
SHA256
256b0bee110baf0afc1f1080d78541900565551ece3e540128261e0096f6e6ec
Threat Level: Likely malicious
The file 8991de78e5b334947a47afbde360abe5_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Renames multiple (8595) files with added filename extension
Renames multiple (7062) files with added filename extension
Deletes shadow copies
Possible privilege escalation attempt
Deletes itself
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Modifies file permissions
Drops desktop.ini file(s)
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Discovers systems in the same network
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Interacts with shadow copies
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-01 06:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 06:10
Reported
2024-06-01 06:12
Platform
win10v2004-20240508-en
Max time kernel
138s
Max time network
108s
Command Line
"C:\Users\Admin\AppData\Local\Temp\8991de78e5b334947a47afbde360abe5_JaffaCakes118.exe"
Signatures
Deletes shadow copies
Renames multiple (7062) files with added filename extension
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NYZ6KK~1:bin | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NYZ6KK~1:bin | N/A |
| N/A | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\BVBIKK~1:bin | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\vssvc.exe | C:\Users\Admin\AppData\Roaming\NYZ6KK~1:bin | N/A |
| File opened for modification | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | C:\Users\Admin\AppData\Roaming\NYZ6KK~1:bin | N/A |
| File created | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe:0 | C:\Users\Admin\AppData\Roaming\NYZ6KK~1:bin | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Java\jdk-1.8\jre\lib\net.properties.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_18.svg.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.aff.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif.locked | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.locked | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x.locked | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_TileMediumSquare.scale-100.png | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\files_icons.png.locked | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-pl.xrm-ms.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EMLAttachmentIcon.png | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ta.txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-64_contrast-white.png | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-150.png | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\InModuleScope.Tests.ps1 | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\AppStore_icon.svg.locked | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40.png | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-125.png | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\ui-strings.js.locked | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\th_get.svg.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\PREVIEW.GIF.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_checkbox_unselected_18.svg | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_2x.png.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\ui-strings.js.locked | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\fy.txt.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\update-settings.ini.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\ui-strings.js.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-high\AboutBoxLogo.png | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\ui-strings.js | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms.locked | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui.locked | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_wob.png.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\en-US.pak.DATA.locked | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia64.msi.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-tool-view.js | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left.gif.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\PlayStore_icon.svg.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20_altform-unplated.png | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated_devicefamily-colorfulunplated.png | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\main.css | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\he.txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-400_contrast-white.png | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sl.pak.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png.readme_txt | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
Program crash
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\NYZ6KK~1:bin | C:\Users\Admin\AppData\Local\Temp\8991de78e5b334947a47afbde360abe5_JaffaCakes118.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\BVBIKK~1:bin | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NYZ6KK~1:bin | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NYZ6KK~1:bin | N/A |
| N/A | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| N/A | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| N/A | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| N/A | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| N/A | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| N/A | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\BVBIKK~1:bin | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\BVBIKK~1:bin | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\8991de78e5b334947a47afbde360abe5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8991de78e5b334947a47afbde360abe5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\NYZ6KK~1:bin
C:\Users\Admin\AppData\Roaming\NYZ6KK~1:bin C:\Users\Admin\AppData\Local\Temp\8991de78e5b334947a47afbde360abe5_JaffaCakes118.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 628
C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\Windows\system32\vssvc.exe /reset
C:\Windows\system32\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe /reset
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3732 -ip 3732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 264
C:\Users\Admin\AppData\Roaming\BVBIKK~1:bin
C:\Users\Admin\AppData\Roaming\\BVBIKK~1:bin
C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\arp.exe
C:\Windows\system32\arp.exe -a
C:\Windows\system32\nslookup.exe
C:\Windows\system32\nslookup.exe 10.127.0.1
C:\Windows\system32\nslookup.exe
C:\Windows\system32\nslookup.exe 10.127.255.255
C:\Windows\system32\nslookup.exe
C:\Windows\system32\nslookup.exe 49.12.169.207
C:\Windows\system32\nslookup.exe
C:\Windows\system32\nslookup.exe 224.0.0.22
C:\Windows\system32\nslookup.exe
C:\Windows\system32\nslookup.exe 224.0.0.251
C:\Windows\system32\nslookup.exe
C:\Windows\system32\nslookup.exe 224.0.0.252
C:\Windows\system32\nslookup.exe
C:\Windows\system32\nslookup.exe 239.255.255.250
C:\Windows\system32\nslookup.exe
C:\Windows\system32\nslookup.exe 255.255.255.255
C:\Windows\system32\net.exe
C:\Windows\system32\net.exe view static.207.169.12.49.clients.your-server.de
C:\Windows\system32\net.exe
C:\Windows\system32\net.exe view igmp.mcast.net
C:\Windows\system32\net.exe
C:\Windows\system32\net.exe view mdns.mcast.net
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2652 -ip 2652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 1044
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.169.12.49.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.255.255.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.207.169.12.49.clients.your-server.de | udp |
| DE | 49.12.169.207:445 | static.207.169.12.49.clients.your-server.de | tcp |
| US | 8.8.8.8:53 | static.207.169.12.49.clients.your-server.de | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| DE | 49.12.169.207:139 | static.207.169.12.49.clients.your-server.de | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | igmp.mcast.net | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | igmp.mcast.net | udp |
| US | 8.8.8.8:53 | mdns.mcast.net | udp |
| US | 8.8.8.8:53 | mdns.mcast.net | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
memory/4980-2-0x0000000000710000-0x0000000000810000-memory.dmp
memory/4980-3-0x0000000000400000-0x0000000000415000-memory.dmp
C:\Users\Admin\AppData\Roaming\NYZ6KK~1:bin
| MD5 | 8991de78e5b334947a47afbde360abe5 |
| SHA1 | 155497359e022662b6028c939e0055a52463c219 |
| SHA256 | 256b0bee110baf0afc1f1080d78541900565551ece3e540128261e0096f6e6ec |
| SHA512 | aea0e71ac10ff1773ca9c65a6d864099834ff3986954f08db54ac6f5be43d03ba09ce5d4869e05633feb08c36e7929079b836e141c13de46861daf4ad654f763 |
memory/3732-11-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4980-12-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4980-13-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2652-20-0x0000000000400000-0x000000000042C000-memory.dmp
memory/3732-30-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Windows\Temp\P49EF.tmp
| MD5 | 9686e36f7086f18dc866351b5f1dcd92 |
| SHA1 | 7fbf5558d7509468fc974e92f6464ccddb0bd894 |
| SHA256 | cf664db1f0277133d904fa8f7c8f1cc17122d0687bfbd9a30db4f79535385fb5 |
| SHA512 | 7482eda4a3ef290125db3cc96541421f96acc1f450e991a939e445ce93a36ae1103e161218c75099558e4e2fed90124d78fce6b27994d00a8f386386f1f2a4d6 |
memory/2652-1858-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4908-2879-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-1337824034-2731376981-3755436523-1000-MergedResources-0.pri.locked
| MD5 | 27dc00bb2dd19cb07ae1f3e4ede6c417 |
| SHA1 | 5be0a9479d0f42f2144a7a01f7829474eed879f1 |
| SHA256 | 27602a77c0f65b4cc1b7bf801cc0d39d0c275e9384c7572a8ea7ae3f52523e7e |
| SHA512 | 47f58387e89c65ad6ccec3436709dff1650646160ca798683ea7f096baebede3da4bb71e34671e08f324e8ba3a5c0d1d6b24028cdef52de0f33cfe68d3f2f892 |
C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-1337824034-2731376981-3755436523-1000-MergedResources-0.pri.locked
| MD5 | 58713222c3db724b11131c18590b4393 |
| SHA1 | 78fb318072ed9705d1268f620de2f32946a19929 |
| SHA256 | 3cfc416912fe72f3d962084c6d1bf0a998fa73c38d97694baf80ffff11dd6458 |
| SHA512 | 21f7c22d587170d1ce612d352b6936dd0066fe84ba384b5639e7c3553c0be42a304aee2ec4328a75b2e416e7cdbc82317affc22599b8cd8c735282f32b066a3e |
C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-1337824034-2731376981-3755436523-1000-MergedResources-0.pri.locked
| MD5 | 050bbd8b41fd8710e106a95c1047409b |
| SHA1 | 60d72a6a24e96a152b1ae54f5255677a6af13721 |
| SHA256 | 524967ec7a155f4b2dca60dd32844f07b33a06f31ebadfd9045c8d9ef1b96e10 |
| SHA512 | debeb08a84535c49ddcd772f5db0e9685c30d22af028459e8b05cdf45d04f4aaf51bb8881c8c78018d3787889419023462e4a9b2de274627cd59aef867b4991a |
C:\Windows\Temp\YLCF20.tmp
| MD5 | 5bef1c13e1c53aad094bb94086afb7e7 |
| SHA1 | 9caca218662cc7eab126bc085b1d8ac9e359913f |
| SHA256 | a13792cde232bebbc4f38a63a057bad7a2674e8c97415fd6646be416e112d1f2 |
| SHA512 | e1196949a266e5d0fc3e27a571a9e92ec1acf9db40ca59013cc1f8b746fa6242372301ac02158e04599fcaedc9e4d4e39777685df2dc9c8af4dafab89a8ef29a |
memory/2652-34659-0x0000000000400000-0x000000000042C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 06:10
Reported
2024-06-01 06:12
Platform
win7-20240221-en
Max time kernel
119s
Max time network
120s
Command Line
"C:\Users\Admin\AppData\Local\Temp\8991de78e5b334947a47afbde360abe5_JaffaCakes118.exe"
Signatures
Deletes shadow copies
Renames multiple (8595) files with added filename extension
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VhZqw8co:bin | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VhZqw8co:bin | N/A |
| N/A | N/A | C:\Windows\System32\snmptrap.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\JLNR13~1:bin | N/A |
| N/A | N/A | C:\Windows\system32\4JVAJY~1:bin | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8991de78e5b334947a47afbde360abe5_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8991de78e5b334947a47afbde360abe5_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\System32\snmptrap.exe | N/A |
| N/A | N/A | C:\Windows\System32\snmptrap.exe | N/A |
| N/A | N/A | C:\Windows\System32\snmptrap.exe | N/A |
| N/A | N/A | C:\Windows\System32\snmptrap.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI | C:\Windows\System32\snmptrap.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\4JVAJY~1 | C:\Windows\System32\snmptrap.exe | N/A |
| File created | C:\Windows\system32\4JVAJY~1:bin | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Windows\System32\snmptrap.exe:0 | C:\Windows\system32\4JVAJY~1:bin | N/A |
| File opened for modification | C:\Windows\System32\snmptrap.exe | C:\Windows\system32\4JVAJY~1:bin | N/A |
| File opened for modification | C:\Windows\System32\snmptrap.exe | C:\Users\Admin\AppData\Roaming\VhZqw8co:bin | N/A |
| File created | C:\Windows\System32\snmptrap.exe:0 | C:\Users\Admin\AppData\Roaming\VhZqw8co:bin | N/A |
| File created | C:\Windows\system32\4JvaJyOHaW | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Windows\system32\4JvaJyOHaW | C:\Windows\System32\snmptrap.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.locked | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar.locked | C:\Windows\System32\snmptrap.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Europe\Brussels.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0196164.WMF | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18196_.WMF.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACT.CFG.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EET.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099169.WMF.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00052_.WMF.locked | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Brisbane.locked | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml.locked | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090390.WMF.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL002.XML.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_s.png | C:\Windows\System32\snmptrap.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02134_.GIF.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadata.xsd.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_hyperlink.gif | C:\Windows\System32\snmptrap.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanMergeLetter.Dotx.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Panama.locked | C:\Windows\System32\snmptrap.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\vlc.mo.locked | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187849.WMF | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left_over.gif.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Dili.locked | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14800_.GIF.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\PREVIEW.GIF | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00084_.WMF | C:\Windows\System32\snmptrap.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02269_.WMF.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02085_.GIF | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21422_.GIF.locked | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PULQOT98.POC | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Asia\Baku.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107512.WMF | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03464_.WMF | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\OliveGreen.css.locked | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\INCOMING.ICO.locked | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Paramaribo | C:\Windows\System32\snmptrap.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Australia\Currie.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_Loading.png | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Process Library.fdt.locked | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBORDER.XML.locked | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif | C:\Windows\System32\snmptrap.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Macau.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\PREVIEW.GIF.locked | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099146.WMF.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Australia\Sydney.locked | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.ELM.locked | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02223U.BMP.locked | C:\Windows\System32\snmptrap.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00006_.WMF.readme_txt | C:\Windows\System32\snmptrap.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe | C:\Users\Admin\AppData\Roaming\VhZqw8co:bin | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe:0 | C:\Users\Admin\AppData\Roaming\VhZqw8co:bin | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe:0 | C:\Users\Admin\AppData\Roaming\VhZqw8co:bin | N/A |
| File created | C:\Users\Admin\AppData\Roaming\JLNR13~1:bin | C:\Windows\System32\snmptrap.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\VhZqw8co:bin | C:\Users\Admin\AppData\Local\Temp\8991de78e5b334947a47afbde360abe5_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VhZqw8co:bin | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VhZqw8co:bin | N/A |
| N/A | N/A | C:\Windows\System32\snmptrap.exe | N/A |
| N/A | N/A | C:\Windows\System32\snmptrap.exe | N/A |
| N/A | N/A | C:\Windows\System32\snmptrap.exe | N/A |
| N/A | N/A | C:\Windows\System32\snmptrap.exe | N/A |
| N/A | N/A | C:\Windows\System32\snmptrap.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\JLNR13~1:bin | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\JLNR13~1:bin | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\snmptrap.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\snmptrap.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\8991de78e5b334947a47afbde360abe5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8991de78e5b334947a47afbde360abe5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\VhZqw8co:bin
C:\Users\Admin\AppData\Roaming\VhZqw8co:bin C:\Users\Admin\AppData\Local\Temp\8991de78e5b334947a47afbde360abe5_JaffaCakes118.exe
C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Windows\System32\snmptrap.exe
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\Windows\System32\snmptrap.exe /reset
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Users\Admin\AppData\Roaming\JLNR13~1:bin
C:\Users\Admin\AppData\Roaming\\JLNR13~1:bin
C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\arp.exe
C:\Windows\system32\arp.exe -a
C:\Windows\system32\nslookup.exe
C:\Windows\system32\nslookup.exe 10.127.0.1
C:\Windows\system32\nslookup.exe
C:\Windows\system32\nslookup.exe 10.127.255.255
C:\Windows\system32\nslookup.exe
C:\Windows\system32\nslookup.exe 37.27.61.182
C:\Windows\system32\nslookup.exe
C:\Windows\system32\nslookup.exe 224.0.0.22
C:\Windows\system32\nslookup.exe
C:\Windows\system32\nslookup.exe 224.0.0.251
C:\Windows\system32\nslookup.exe
C:\Windows\system32\nslookup.exe 224.0.0.252
C:\Windows\system32\nslookup.exe
C:\Windows\system32\nslookup.exe 239.255.255.250
C:\Windows\system32\nslookup.exe
C:\Windows\system32\nslookup.exe 255.255.255.255
C:\Windows\system32\net.exe
C:\Windows\system32\net.exe view static.182.61.27.37.clients.your-server.de
C:\Windows\system32\net.exe
C:\Windows\system32\net.exe view igmp.mcast.net
C:\Windows\system32\net.exe
C:\Windows\system32\net.exe view mdns.mcast.net
C:\Windows\system32\4JVAJY~1:bin
C:\Windows\system32\4JVAJY~1:bin C:\Windows\System32\snmptrap.exe 2616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.61.27.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.255.255.in-addr.arpa | udp |
Files
memory/2868-2-0x0000000000520000-0x0000000000620000-memory.dmp
memory/2868-3-0x0000000000400000-0x0000000000415000-memory.dmp
\Users\Admin\AppData\Roaming\VhZqw8co
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\VhZqw8co:bin
| MD5 | 8991de78e5b334947a47afbde360abe5 |
| SHA1 | 155497359e022662b6028c939e0055a52463c219 |
| SHA256 | 256b0bee110baf0afc1f1080d78541900565551ece3e540128261e0096f6e6ec |
| SHA512 | aea0e71ac10ff1773ca9c65a6d864099834ff3986954f08db54ac6f5be43d03ba09ce5d4869e05633feb08c36e7929079b836e141c13de46861daf4ad654f763 |
memory/2868-13-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2868-12-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2344-16-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2616-26-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2344-28-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Windows\Temp\qt2042.tmp
| MD5 | 9686e36f7086f18dc866351b5f1dcd92 |
| SHA1 | 7fbf5558d7509468fc974e92f6464ccddb0bd894 |
| SHA256 | cf664db1f0277133d904fa8f7c8f1cc17122d0687bfbd9a30db4f79535385fb5 |
| SHA512 | 7482eda4a3ef290125db3cc96541421f96acc1f450e991a939e445ce93a36ae1103e161218c75099558e4e2fed90124d78fce6b27994d00a8f386386f1f2a4d6 |
memory/2460-207-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Windows\Temp\ly23DE.tmp
| MD5 | 5bef1c13e1c53aad094bb94086afb7e7 |
| SHA1 | 9caca218662cc7eab126bc085b1d8ac9e359913f |
| SHA256 | a13792cde232bebbc4f38a63a057bad7a2674e8c97415fd6646be416e112d1f2 |
| SHA512 | e1196949a266e5d0fc3e27a571a9e92ec1acf9db40ca59013cc1f8b746fa6242372301ac02158e04599fcaedc9e4d4e39777685df2dc9c8af4dafab89a8ef29a |
memory/2616-1304-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B1A73.tmp
| MD5 | e028c8417dd1f4a1bbebe990687f60be |
| SHA1 | 735a00747091318bb37e2a99495d7d2d329eeddc |
| SHA256 | ad1745fb0662b3217f3d8e591fc3476278766709a185b43bdea26c966071a6c3 |
| SHA512 | a2a1c67f7b9418cd5d2da78bf908fa8286dc4e55926107636e542fff2b8da75cc1e2b934ee77e148ed082df9b090b590d19f18a428f6e656824fdea202c8200c |
memory/2272-43100-0x0000000000400000-0x000000000042C000-memory.dmp