Malware Analysis Report

2024-10-24 17:04

Sample ID 240611-vasf3stgmr
Target 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118
SHA256 337b2a2898f89d83eb9810385b6113b722dc71c9e7192876116ae9cf66797d22
Tags
upx gh0strat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

337b2a2898f89d83eb9810385b6113b722dc71c9e7192876116ae9cf66797d22

Threat Level: Known bad

The file 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx gh0strat rat

Gh0strat

Gh0strat family

Gh0st RAT payload

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 16:47

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat family

gh0strat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 16:47

Reported

2024-06-11 16:50

Platform

win7-20240419-en

Max time kernel

124s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2016 set thread context of 2600 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework\ETComm_New.dll C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe N/A
File created C:\Windows\Microsoft.NET\Framework\mscorsvws.exe C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\ETComm.dll C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\ETComm.dll C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
File created C:\Windows\MpMgSvc.dll C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\ETComm.dll C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\mscorsvws.exe C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe
PID 1968 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe
PID 1968 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe
PID 1968 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe
PID 2016 wrote to memory of 2600 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 2600 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 2600 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 2600 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 2600 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 2600 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 2600 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 2600 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 2600 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 2600 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe
PID 1968 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1968 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1968 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1968 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe

C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\cacls.exe

cacls C:\Windows\Fonts\*.exe /e /d system

Network

Country Destination Domain Proto
US 8.8.8.8:53 wmi.usa-138.com udp
US 8.8.8.8:53 4i7i.com udp
US 8.8.8.8:53 wmi.usa-138.com udp
US 8.8.8.8:53 wmi.usa-138.com udp

Files

memory/1968-0-0x0000000000400000-0x00000000005D3000-memory.dmp

\Windows\Microsoft.NET\Framework\aspnet_wp.exe

MD5 962026a01cc9c058822bfa108393eaaf
SHA1 bdc766094cc240782e10a0dfec8d420f3420d42c
SHA256 48d8d3a80cd1ebc5fa2402a9e7c77fdb74782dd8d3d5291787266ab289f1a82b
SHA512 f03986b1b3a0609f7ca999e07f58b6dc0504c767b5b98c60186c8c1f0f5b56b87207d5b8c165a2e103e803ccf32193e848c75875231dd94237d1501862e18e93

\Windows\Microsoft.NET\Framework\ETComm.dll

MD5 88d73a37ae35e3b049b908e7b28a5c39
SHA1 2713a4bd792d0cb4afd6e3b43c7cfc2587989048
SHA256 a81f235483560d11f871351771f862cd52f1ab097a84e37163fb876ff5814f39
SHA512 3d947b28c15b930c9e7212e2dfed2a73fbd6139b5f52020b60735a3fc8f4f1d82e5a0b41a7ce78839e48698437cf07c1485ef61605e461a3768250d71b233da5

memory/2600-15-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Windows\Microsoft.NET\Framework\ETComm_New.dll

MD5 5a8088a81ca60f7d6b52dafef8106352
SHA1 91038034b8a3087d2b3b03c4240c1a84c1e6fd4e
SHA256 a558403de957fb3ce765f5fab272db6d65b443ddfdc233ff1269dbe996a666dd
SHA512 de4818b3221d16b062a0662313d86ceaa36312db0b99f7c4ceec496d3aaf2c89943182b590875185a410f97e272660660df6684a53717225ef2c5cbb49abd624

memory/2016-37-0x0000000010000000-0x00000000100EB000-memory.dmp

memory/2600-36-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2600-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2600-26-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2600-22-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2600-19-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2600-17-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2016-14-0x0000000010000000-0x00000000100EB000-memory.dmp

memory/1968-38-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1968-39-0x0000000000400000-0x00000000005D3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 16:47

Reported

2024-06-11 16:50

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4988 set thread context of 228 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework\mscorsvws.exe C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
File created C:\Windows\MpMgSvc.dll C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\ETComm.dll C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe N/A
File created C:\Windows\Microsoft.NET\Framework\ETComm_New.dll C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\mscorsvws.exe C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
File created C:\Windows\Microsoft.NET\Framework\ETComm.dll C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\ETComm.dll C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 540 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe
PID 540 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe
PID 540 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe
PID 540 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 540 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 540 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 4988 wrote to memory of 228 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe
PID 4988 wrote to memory of 228 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe
PID 4988 wrote to memory of 228 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe
PID 4988 wrote to memory of 228 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe
PID 4988 wrote to memory of 228 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe
PID 4988 wrote to memory of 228 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe
PID 4988 wrote to memory of 228 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe
PID 4988 wrote to memory of 228 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe
PID 4988 wrote to memory of 228 N/A C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe

C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe

C:\Windows\SysWOW64\cacls.exe

cacls C:\Windows\Fonts\*.exe /e /d system

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 wmi.usa-138.com udp
US 8.8.8.8:53 4i7i.com udp
HK 203.124.11.99:80 4i7i.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 wmi.usa-138.com udp
US 8.8.8.8:53 211.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 wmi.usa-138.com udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 wmi.usa-138.com udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/540-0-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe

MD5 962026a01cc9c058822bfa108393eaaf
SHA1 bdc766094cc240782e10a0dfec8d420f3420d42c
SHA256 48d8d3a80cd1ebc5fa2402a9e7c77fdb74782dd8d3d5291787266ab289f1a82b
SHA512 f03986b1b3a0609f7ca999e07f58b6dc0504c767b5b98c60186c8c1f0f5b56b87207d5b8c165a2e103e803ccf32193e848c75875231dd94237d1501862e18e93

C:\Windows\Microsoft.NET\Framework\ETComm.dll

MD5 88d73a37ae35e3b049b908e7b28a5c39
SHA1 2713a4bd792d0cb4afd6e3b43c7cfc2587989048
SHA256 a81f235483560d11f871351771f862cd52f1ab097a84e37163fb876ff5814f39
SHA512 3d947b28c15b930c9e7212e2dfed2a73fbd6139b5f52020b60735a3fc8f4f1d82e5a0b41a7ce78839e48698437cf07c1485ef61605e461a3768250d71b233da5

memory/4988-13-0x0000000010000000-0x00000000100EB000-memory.dmp

C:\Windows\Microsoft.NET\Framework\ETComm.dll

MD5 772489c1a202bb5430de2460f82dc8ee
SHA1 35b7dda980e4f54a9d86015fda6023301a41787a
SHA256 26c805ddcd223e867fb915401b567d057980fb5b06bd9b9bc7bd77bee354f261
SHA512 7544421da95ed6174ff0d63428faaba851a0af9c7988c465cb975cbafe421c5b2b22f5fda637755ba4bcc3bdc658a8696afbcaa8763af9e409dcbaa486d0a130

memory/228-23-0x0000000000400000-0x0000000000409000-memory.dmp

memory/228-16-0x0000000000400000-0x0000000000409000-memory.dmp

memory/228-15-0x0000000000400000-0x0000000000409000-memory.dmp

memory/228-14-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4988-25-0x0000000010000000-0x00000000100EB000-memory.dmp

memory/540-26-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/540-28-0x0000000000400000-0x00000000005D3000-memory.dmp