Malware Analysis Report

2024-07-11 07:36

Sample ID 240610-rkndbszamp
Target 9af190e00f38ca6541b1d1d177492c47_JaffaCakes118
SHA256 f547d35bf1db7451493fb6332447b0ebfcef8a581a69ab6e5981adf12e55437a
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f547d35bf1db7451493fb6332447b0ebfcef8a581a69ab6e5981adf12e55437a

Threat Level: Known bad

The file 9af190e00f38ca6541b1d1d177492c47_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

plugx trojan

Detects PlugX payload

PlugX

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Deletes itself

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-10 14:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 14:15

Reported

2024-06-10 14:17

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9af190e00f38ca6541b1d1d177492c47_JaffaCakes118.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9af190e00f38ca6541b1d1d177492c47_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe N/A
N/A N/A C:\ProgramData\Kerberos\hkcmd.exe N/A
N/A N/A C:\ProgramData\Kerberos\hkcmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe N/A
N/A N/A C:\ProgramData\Kerberos\hkcmd.exe N/A
N/A N/A C:\ProgramData\Kerberos\hkcmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38004500300031004500420032003800420039003200410044004400330030000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Kerberos\hkcmd.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Kerberos\hkcmd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Kerberos\hkcmd.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Kerberos\hkcmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4764 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\9af190e00f38ca6541b1d1d177492c47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe
PID 4764 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\9af190e00f38ca6541b1d1d177492c47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe
PID 4764 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\9af190e00f38ca6541b1d1d177492c47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe
PID 1400 wrote to memory of 2908 N/A C:\ProgramData\Kerberos\hkcmd.exe C:\Windows\SysWOW64\svchost.exe
PID 1400 wrote to memory of 2908 N/A C:\ProgramData\Kerberos\hkcmd.exe C:\Windows\SysWOW64\svchost.exe
PID 1400 wrote to memory of 2908 N/A C:\ProgramData\Kerberos\hkcmd.exe C:\Windows\SysWOW64\svchost.exe
PID 1400 wrote to memory of 2908 N/A C:\ProgramData\Kerberos\hkcmd.exe C:\Windows\SysWOW64\svchost.exe
PID 1400 wrote to memory of 2908 N/A C:\ProgramData\Kerberos\hkcmd.exe C:\Windows\SysWOW64\svchost.exe
PID 1400 wrote to memory of 2908 N/A C:\ProgramData\Kerberos\hkcmd.exe C:\Windows\SysWOW64\svchost.exe
PID 1400 wrote to memory of 2908 N/A C:\ProgramData\Kerberos\hkcmd.exe C:\Windows\SysWOW64\svchost.exe
PID 1400 wrote to memory of 2908 N/A C:\ProgramData\Kerberos\hkcmd.exe C:\Windows\SysWOW64\svchost.exe
PID 2908 wrote to memory of 4784 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2908 wrote to memory of 4784 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2908 wrote to memory of 4784 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2908 wrote to memory of 4784 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2908 wrote to memory of 4784 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2908 wrote to memory of 4784 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2908 wrote to memory of 4784 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2908 wrote to memory of 4784 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9af190e00f38ca6541b1d1d177492c47_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9af190e00f38ca6541b1d1d177492c47_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe"

C:\ProgramData\Kerberos\hkcmd.exe

"C:\ProgramData\Kerberos\hkcmd.exe" 100 4028

C:\ProgramData\Kerberos\hkcmd.exe

"C:\ProgramData\Kerberos\hkcmd.exe" 200 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 10.127.255.255:53 udp
N/A 255.255.255.255:53 ns4.msftncsl.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 ns4.msftncsl.com udp
US 8.8.8.8:53 ns4.msftncsl.com udp
N/A 255.255.255.255:53 ns4.msftncsl.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.42:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 ns4.msftncsl.com udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

MD5 0d58e5f4e82539de38ba7f9b4a8dda12
SHA1 dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342
SHA256 e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d
SHA512 149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.dll

MD5 55c15efa6369957c69e7c6643bc86ef2
SHA1 ce2bacdc2eeb298016d46e61f4a009b2a706a737
SHA256 7a593f93d52d7cecf2ad81ee2df0d1354a39bb975cec25619dcbe5cee57123cf
SHA512 a6d06035f91410dc215d8ac8a22d955bd02084d3e409e81176046c9f1bbf0eff2328ab66ff90f0441004ddd7922fdd2d2c1b44f32b583ab78cb1015813d46705

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.DLL.res

MD5 3aa819b9089cd906d6434e446bea75ba
SHA1 8e008e0eb41830841eeb4702c382a43757ad930e
SHA256 b414a5ffb5b41d46d963c22964ae3097538c0a3e7ce0e3ba235ca33de3ab717d
SHA512 c09d075044ef7b74c928238aaa1b78c952970280a68213db108d7bdc02fea24a0f6424a745dbf4fb33de93f3b8d8341b7f99e5c47dadd0fda9083e6cc596b965

memory/4028-19-0x00000000021C0000-0x00000000022C0000-memory.dmp

memory/4028-20-0x0000000000980000-0x00000000009AC000-memory.dmp

memory/4028-21-0x0000000000980000-0x00000000009AC000-memory.dmp

memory/4084-40-0x0000000000600000-0x000000000062C000-memory.dmp

memory/4084-41-0x0000000000600000-0x000000000062C000-memory.dmp

memory/1400-45-0x0000000000E60000-0x0000000000E8C000-memory.dmp

memory/2908-46-0x0000000001850000-0x000000000187C000-memory.dmp

memory/1400-47-0x0000000000E60000-0x0000000000E8C000-memory.dmp

memory/2908-59-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

memory/2908-60-0x0000000001850000-0x000000000187C000-memory.dmp

memory/2908-62-0x0000000001850000-0x000000000187C000-memory.dmp

memory/4028-63-0x0000000000980000-0x00000000009AC000-memory.dmp

memory/2908-49-0x0000000001850000-0x000000000187C000-memory.dmp

memory/2908-61-0x0000000001850000-0x000000000187C000-memory.dmp

memory/2908-64-0x0000000001850000-0x000000000187C000-memory.dmp

memory/2908-65-0x0000000001850000-0x000000000187C000-memory.dmp

memory/2908-66-0x0000000001850000-0x000000000187C000-memory.dmp

memory/4084-69-0x0000000000600000-0x000000000062C000-memory.dmp

memory/4784-70-0x0000000000780000-0x00000000007AC000-memory.dmp

memory/4784-71-0x0000000000480000-0x0000000000481000-memory.dmp

memory/4784-72-0x0000000000780000-0x00000000007AC000-memory.dmp

memory/4784-73-0x0000000000780000-0x00000000007AC000-memory.dmp

memory/2908-74-0x0000000001850000-0x000000000187C000-memory.dmp

memory/2908-75-0x0000000001850000-0x000000000187C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 14:15

Reported

2024-06-10 14:17

Platform

win7-20240220-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9af190e00f38ca6541b1d1d177492c47_JaffaCakes118.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe N/A
N/A N/A C:\ProgramData\Kerberos\hkcmd.exe N/A
N/A N/A C:\ProgramData\Kerberos\hkcmd.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44003800430041003800420030004200430033003600330039003600410042000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Kerberos\hkcmd.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Kerberos\hkcmd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Kerberos\hkcmd.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Kerberos\hkcmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\9af190e00f38ca6541b1d1d177492c47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe
PID 1636 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\9af190e00f38ca6541b1d1d177492c47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe
PID 1636 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\9af190e00f38ca6541b1d1d177492c47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe
PID 1636 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\9af190e00f38ca6541b1d1d177492c47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe
PID 1636 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\9af190e00f38ca6541b1d1d177492c47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe
PID 1636 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\9af190e00f38ca6541b1d1d177492c47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe
PID 1636 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\9af190e00f38ca6541b1d1d177492c47_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe
PID 2404 wrote to memory of 2892 N/A C:\ProgramData\Kerberos\hkcmd.exe C:\Windows\SysWOW64\svchost.exe
PID 2404 wrote to memory of 2892 N/A C:\ProgramData\Kerberos\hkcmd.exe C:\Windows\SysWOW64\svchost.exe
PID 2404 wrote to memory of 2892 N/A C:\ProgramData\Kerberos\hkcmd.exe C:\Windows\SysWOW64\svchost.exe
PID 2404 wrote to memory of 2892 N/A C:\ProgramData\Kerberos\hkcmd.exe C:\Windows\SysWOW64\svchost.exe
PID 2404 wrote to memory of 2892 N/A C:\ProgramData\Kerberos\hkcmd.exe C:\Windows\SysWOW64\svchost.exe
PID 2404 wrote to memory of 2892 N/A C:\ProgramData\Kerberos\hkcmd.exe C:\Windows\SysWOW64\svchost.exe
PID 2404 wrote to memory of 2892 N/A C:\ProgramData\Kerberos\hkcmd.exe C:\Windows\SysWOW64\svchost.exe
PID 2404 wrote to memory of 2892 N/A C:\ProgramData\Kerberos\hkcmd.exe C:\Windows\SysWOW64\svchost.exe
PID 2404 wrote to memory of 2892 N/A C:\ProgramData\Kerberos\hkcmd.exe C:\Windows\SysWOW64\svchost.exe
PID 2892 wrote to memory of 1732 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2892 wrote to memory of 1732 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2892 wrote to memory of 1732 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2892 wrote to memory of 1732 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2892 wrote to memory of 1732 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2892 wrote to memory of 1732 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2892 wrote to memory of 1732 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2892 wrote to memory of 1732 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2892 wrote to memory of 1732 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2892 wrote to memory of 1732 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2892 wrote to memory of 1732 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2892 wrote to memory of 1732 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9af190e00f38ca6541b1d1d177492c47_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9af190e00f38ca6541b1d1d177492c47_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe"

C:\ProgramData\Kerberos\hkcmd.exe

"C:\ProgramData\Kerberos\hkcmd.exe" 100 2464

C:\ProgramData\Kerberos\hkcmd.exe

"C:\ProgramData\Kerberos\hkcmd.exe" 200 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2892

Network

Country Destination Domain Proto
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 ns4.msftncsl.com udp
US 8.8.8.8:53 ns4.msftncsl.com udp
US 8.8.8.8:53 ns4.msftncsl.com udp

Files

\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

MD5 0d58e5f4e82539de38ba7f9b4a8dda12
SHA1 dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342
SHA256 e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d
SHA512 149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.DLL

MD5 55c15efa6369957c69e7c6643bc86ef2
SHA1 ce2bacdc2eeb298016d46e61f4a009b2a706a737
SHA256 7a593f93d52d7cecf2ad81ee2df0d1354a39bb975cec25619dcbe5cee57123cf
SHA512 a6d06035f91410dc215d8ac8a22d955bd02084d3e409e81176046c9f1bbf0eff2328ab66ff90f0441004ddd7922fdd2d2c1b44f32b583ab78cb1015813d46705

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.DLL.res

MD5 3aa819b9089cd906d6434e446bea75ba
SHA1 8e008e0eb41830841eeb4702c382a43757ad930e
SHA256 b414a5ffb5b41d46d963c22964ae3097538c0a3e7ce0e3ba235ca33de3ab717d
SHA512 c09d075044ef7b74c928238aaa1b78c952970280a68213db108d7bdc02fea24a0f6424a745dbf4fb33de93f3b8d8341b7f99e5c47dadd0fda9083e6cc596b965

memory/2464-22-0x0000000001D30000-0x0000000001E30000-memory.dmp

memory/2464-23-0x0000000000460000-0x000000000048C000-memory.dmp

memory/2464-24-0x0000000000460000-0x000000000048C000-memory.dmp

memory/2684-43-0x00000000003A0000-0x00000000003CC000-memory.dmp

memory/2684-44-0x00000000003A0000-0x00000000003CC000-memory.dmp

memory/2404-48-0x00000000002A0000-0x00000000002CC000-memory.dmp

memory/2892-52-0x00000000000A0000-0x00000000000BA000-memory.dmp

memory/2892-49-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2892-53-0x00000000000C0000-0x00000000000C2000-memory.dmp

memory/2892-54-0x0000000000100000-0x000000000012C000-memory.dmp

memory/2404-56-0x00000000002A0000-0x00000000002CC000-memory.dmp

memory/2892-71-0x0000000000100000-0x000000000012C000-memory.dmp

memory/2892-68-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2892-70-0x0000000000100000-0x000000000012C000-memory.dmp

memory/2892-69-0x0000000000100000-0x000000000012C000-memory.dmp

memory/2892-72-0x0000000000100000-0x000000000012C000-memory.dmp

memory/2892-55-0x0000000000100000-0x000000000012C000-memory.dmp

memory/2892-73-0x0000000000100000-0x000000000012C000-memory.dmp

memory/2892-77-0x0000000000100000-0x000000000012C000-memory.dmp

memory/2892-78-0x0000000000100000-0x000000000012C000-memory.dmp

memory/2684-79-0x00000000003A0000-0x00000000003CC000-memory.dmp

memory/1732-86-0x0000000000050000-0x0000000000051000-memory.dmp

memory/1732-87-0x0000000000270000-0x000000000029C000-memory.dmp

memory/1732-88-0x0000000000270000-0x000000000029C000-memory.dmp

memory/1732-85-0x0000000000270000-0x000000000029C000-memory.dmp