Malware Analysis Report

2024-11-30 06:16

Sample ID 240612-rg79bsxgpc
Target a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118
SHA256 2397ac46ad9b52de1b72d6821ce44f6fd4815ea6abe449d1b731120d1e0c5ce2
Tags
execution discovery evasion persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2397ac46ad9b52de1b72d6821ce44f6fd4815ea6abe449d1b731120d1e0c5ce2

Threat Level: Known bad

The file a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

execution discovery evasion persistence spyware stealer trojan upx

Windows security bypass

Creates new service(s)

Stops running service(s)

Drops file in Drivers directory

ACProtect 1.3x - 1.4x DLL software

Reads user/profile data of web browsers

Loads dropped DLL

Windows security modification

Executes dropped EXE

UPX packed file

Checks installed software on the system

Drops file in System32 directory

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-12 14:10

Reported

2024-06-12 14:13

Platform

win10v2004-20240611-en

Max time kernel

134s

Max time network

137s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\auBVPavMwbA.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\auBVPavMwbA.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 9.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:10

Reported

2024-06-12 14:13

Platform

win7-20240220-en

Max time kernel

148s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe"

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\da32af249fcc8bb76881919b2c13248d.exe = "0" C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\system32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys = "0" C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\da32af249fcc8bb76881919b2c13248d.exe = "0" C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\da32af249fcc8bb76881919b2c13248d.exe = "0" C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\uninstaller.dat = "0" C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\c:\program files\eab27f564f6aa95ace08e0b9f5fd608c\ = "0" C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys = "0" C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\c:\program files\eab27f564f6aa95ace08e0b9f5fd608c\ = "0" C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys = "0" C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c = "0" C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A

Stops running service(s)

evasion execution

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\uninstaller.dat = "0" C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\c:\program files\eab27f564f6aa95ace08e0b9f5fd608c\ = "0" C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys = "0" C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\da32af249fcc8bb76881919b2c13248d.exe = "0" C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\da32af249fcc8bb76881919b2c13248d.exe = "0" C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\system32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys = "0" C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c = "0" C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\da32af249fcc8bb76881919b2c13248d.exe = "0" C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\c:\program files\eab27f564f6aa95ace08e0b9f5fd608c\ = "0" C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys = "0" C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\SSL\cert.db C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
File created C:\Windows\SysWOW64\SSL\cert.db C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
File opened for modification C:\Windows\SysWOW64\SSL\cert.db C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
File opened for modification C:\Windows\SysWOW64\SSL\eec823a821e7f337 2.cer C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
File opened for modification C:\Windows\SysWOW64\SSL\x.db C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
File opened for modification C:\Windows\SysWOW64\SSL\xtls.db C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
File opened for modification C:\Windows\SysWOW64\SSL\xv.db C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
File opened for modification C:\Windows\SysWOW64\SSL\eec823a821e7f337 2.cer C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
File opened for modification C:\Windows\SysWOW64\SSL\x.db C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
File opened for modification C:\Windows\SysWOW64\SSL\xtls.db C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
File opened for modification C:\Windows\SysWOW64\SSL\xv.db C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\78aeb84ef7f864a3cbdc2d754802eb81.ico C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\nss3.dll C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\nspr4.dll C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\plc4.dll C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\mozcrt19.dll C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\service.dat C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\da32af249fcc8bb76881919b2c13248d.exe C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\WBE_uninstall.dat C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\service_64.dat C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\3220fb1268d362d4fef9905ab424b39c.exe C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\plds4.dll C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\softokn3.dll C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\service_64.dat C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\3220fb1268d362d4fef9905ab424b39c.exe C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\service.dat C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\0ee18cd84a6ff5795bf5c5821ca016e3 C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\kiebqmtyeydresvp.kiebq C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
File created C:\Windows\da32af249fcc8bb76881919b2c13248d.exe C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Windows\uninstaller.dat C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host C:\Windows\SysWOW64\wscript.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\56BF5154-0B48-4ADB-902A-6C8B12E270D9 C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\56BF5154-0B48-4ADB-902A-6C8B12E270D9\LocalService = "eab27f564f6aa95ace08e0b9f5fd608c" C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C60FABAA1B65E2E42DCE7D0A4C6CED70EA52C06A\Blob = 030000000100000014000000c60fabaa1b65e2e42dce7d0a4c6ced70ea52c06a20000000010000000803000030820304308201eca003020102021100fbec9938a373483790d5af0274c84987300d06092a864886f70d01010b0500302a310b300906035504061302454e311b301906035504030c126565633832336138323165376633333720323020170d3034303631373134313131325a180f32303634303630323134313131325a302a310b300906035504061302454e311b301906035504030c1265656338323361383231653766333337203230820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b0500038201010051f8045d76714e11193ac045932526ec16a4562e79f8cef75078f4caa3312cfb4e9958b8c345035f38a0b060a88d552107b6cd4af5c6c7c379770450a2d58a142f46d978b7582b9cd7215c50f005366e6572bde12992e155b5ad2706d7681d3bf32235c603d3badc688e602e005362287051cee679b07dc7e50a681b6270a36d84e2af94cb52c3cb30945b8bf25ed3a9b553ad655b31b389694c30998a7d5e4cd2ece4c920679d6a483850a13dd0c4c424c304dc6cd84d594c5dd6d3dc77e95e2b2a6913103021dd6158cb4266e0e571da4cfb25e849b93ed85191753a8d66cbd18fccc3bd0a09e26c68d621232311eb47ec87c0f61a86cdf65ff98da6b3d3ff C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C60FABAA1B65E2E42DCE7D0A4C6CED70EA52C06A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C60FABAA1B65E2E42DCE7D0A4C6CED70EA52C06A\Blob = 030000000100000014000000c60fabaa1b65e2e42dce7d0a4c6ced70ea52c06a20000000010000000803000030820304308201eca003020102021100fbec9938a373483790d5af0274c84987300d06092a864886f70d01010b0500302a310b300906035504061302454e311b301906035504030c126565633832336138323165376633333720323020170d3034303631373134313131325a180f32303634303630323134313131325a302a310b300906035504061302454e311b301906035504030c1265656338323361383231653766333337203230820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b0500038201010051f8045d76714e11193ac045932526ec16a4562e79f8cef75078f4caa3312cfb4e9958b8c345035f38a0b060a88d552107b6cd4af5c6c7c379770450a2d58a142f46d978b7582b9cd7215c50f005366e6572bde12992e155b5ad2706d7681d3bf32235c603d3badc688e602e005362287051cee679b07dc7e50a681b6270a36d84e2af94cb52c3cb30945b8bf25ed3a9b553ad655b31b389694c30998a7d5e4cd2ece4c920679d6a483850a13dd0c4c424c304dc6cd84d594c5dd6d3dc77e95e2b2a6913103021dd6158cb4266e0e571da4cfb25e849b93ed85191753a8d66cbd18fccc3bd0a09e26c68d621232311eb47ec87c0f61a86cdf65ff98da6b3d3ff C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C60FABAA1B65E2E42DCE7D0A4C6CED70EA52C06A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C60FABAA1B65E2E42DCE7D0A4C6CED70EA52C06A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\wscript.exe
PID 2924 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\wscript.exe
PID 2924 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\wscript.exe
PID 2924 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\wscript.exe
PID 2924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2924 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2924 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2924 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2924 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2356 wrote to memory of 2408 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2356 wrote to memory of 2408 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2356 wrote to memory of 2408 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2356 wrote to memory of 2408 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2424 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\wscript.exe
PID 2424 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\wscript.exe
PID 2424 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\wscript.exe
PID 2424 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\wscript.exe
PID 2924 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2924 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2924 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2924 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2924 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe
PID 2924 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe
PID 2924 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe
PID 2924 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe
PID 1820 wrote to memory of 624 N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe C:\Windows\SysWOW64\sc.exe
PID 1820 wrote to memory of 624 N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe C:\Windows\SysWOW64\sc.exe
PID 1820 wrote to memory of 624 N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe C:\Windows\SysWOW64\sc.exe
PID 1820 wrote to memory of 624 N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe C:\Windows\SysWOW64\sc.exe
PID 1820 wrote to memory of 2432 N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe C:\Windows\SysWOW64\sc.exe
PID 1820 wrote to memory of 2432 N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe C:\Windows\SysWOW64\sc.exe
PID 1820 wrote to memory of 2432 N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe C:\Windows\SysWOW64\sc.exe
PID 1820 wrote to memory of 2432 N/A C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe C:\Windows\SysWOW64\sc.exe
PID 2924 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe
PID 2924 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe
PID 2924 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe
PID 2924 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe"

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\auBVPavMwbA.js" "C:\Users\Admin\AppData\Local\Temp\nsiFE8B.tmp" "C:\Users\Admin\AppData\Local\Temp\auBVPavMwbA.js"

C:\Windows\SysWOW64\sc.exe

sc create -- binPath= ""C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe" /wl 1"

C:\Windows\SysWOW64\net.exe

net start --

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start --

C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe /wl 1

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\Windows\TEMP\auBVPavMwbA.js" "C:\Windows\TEMP\nso38B.tmp" "C:\Windows\TEMP\auBVPavMwbA.js"

C:\Windows\SysWOW64\sc.exe

sc delete --

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f /reg:32

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f /reg:64

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:32

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:64

C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe

"C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe" --install_updater 0

C:\Windows\SysWOW64\sc.exe

sc create ae17162624d60054bd221228f70d7531 binPath= "rundll32.exe C:\Windows\kiebqmtyeydresvp.kiebq EXMe" start= auto

C:\Windows\SysWOW64\sc.exe

sc failure ae17162624d60054bd221228f70d7531 reset= 30 actions= restart/5000

C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe

"C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe" --install

C:\Windows\SysWOW64\sc.exe

sc create d435e23f50e54d4bad7887b91b33f8b5 binpath= system32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys DisplayName= d435e23f50e54d4bad7887b91b33f8b5 type= kernel start= system group= PNP_TDI

C:\Windows\SysWOW64\sc.exe

sc start d435e23f50e54d4bad7887b91b33f8b5

C:\Windows\SysWOW64\sc.exe

sc create eab27f564f6aa95ace08e0b9f5fd608c displayname= eab27f564f6aa95ace08e0b9f5fd608c binPath= "C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe" start= auto depend= RPCSS

C:\Windows\SysWOW64\sc.exe

sc start ae17162624d60054bd221228f70d7531

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Windows\kiebqmtyeydresvp.kiebq EXMe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\kiebqmtyeydresvp.kiebq EXMe

C:\Windows\SysWOW64\sc.exe

sc failure eab27f564f6aa95ace08e0b9f5fd608c reset= 60 actions= restart/5000/restart/5000/restart/5000

C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe

"C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32 C:\Windows\kiebqmtyeydresvp.kiebq EXMe perform_update

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net start d435e23f50e54d4bad7887b91b33f8b5

C:\Windows\system32\net.exe

net start d435e23f50e54d4bad7887b91b33f8b5

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start d435e23f50e54d4bad7887b91b33f8b5

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net start eab27f564f6aa95ace08e0b9f5fd608c

C:\Windows\system32\net.exe

net start eab27f564f6aa95ace08e0b9f5fd608c

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start eab27f564f6aa95ace08e0b9f5fd608c

C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe

"C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp

Files

\Users\Admin\AppData\Local\Temp\nsiFE8B.tmp\lDerpvVTsgA.dll

MD5 e4bdc739307f32b968e32fcebc9c01f6
SHA1 5f3d406f01579e3e8a67c05d2e31ec369e14604c
SHA256 17d489476f1f2fbe95a5ddb2a95a788528db842153c5582457133a79eb0756e0
SHA512 494ab1baf1ba59aa6cb4209dae8d493b784d289c74ba66b34d826aebb4014bb2fdfa3f30680650408048d9197cab5b945936c36cac9529c220048cef4704224e

\Users\Admin\AppData\Local\Temp\nsiFE8B.tmp\CCGylfvpPId.dll

MD5 41061901c1afc95553800c7203a31cd0
SHA1 38fc9f859502166bf5e356b8820ed6a48b060f6d
SHA256 cc0dc4f6b1bf6627532a8c8ab42ad087f3302000632d22713950f0a8c95e8f05
SHA512 c54f0bf158938fa332d482b1190e66cc7856465080fbddc5f7b95ff1f00491d29fa28c49854e6dda73a8e1e11cf2e845754033eb5cfe77327e1625039946c2eb

C:\Users\Admin\AppData\Local\Temp\auBVPavMwbA.js

MD5 a35b87106725234045494a6404a003f9
SHA1 f4d1a2529a271946382c17132a5ebea6449a753f
SHA256 17aa4126885d2299ada9a5e3fa5c21dc52e133bfed72a25a96e0152044ea2cd4
SHA512 7924482b9e20801dd8d7abacd6fc4d2a1f182e4f663b0a519518e33c04b482d35d17d277af1e9555f9e8a3a92e67935dabbc5302507b2924ac4cc9b34546dd17

\Users\Admin\AppData\Local\Temp\nsiFE8B.tmp\gHbMwlFrsMB.dll

MD5 31eafd1f2c5bceb7761b52ea85cf6c26
SHA1 51045a6eeddc1832a9a71fe95bb746192b1bbb2b
SHA256 27e62f38be7bd86e3144888e68ae6dd3cd9afccce244825929409b4e94623dd6
SHA512 4aa675ad91e655cb36adabab706d9af07b91e1b0d71799f0a4068f02765d6010cdc15ef59eb15758e569cede0161d5e8797f4f39b7dcbfb97b95770acc18e4a8

memory/2924-22-0x0000000000400000-0x00000000015DB000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsd12D.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

\Users\Admin\AppData\Local\Temp\nsd12D.tmp\md5dll.dll

MD5 7059f133ea2316b9e7e39094a52a8c34
SHA1 ee9f1487c8152d8c42fecf2efb8ed1db68395802
SHA256 32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f
SHA512 9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

memory/2924-34-0x0000000003000000-0x000000000300A000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsd12D.tmp\nsExec.dll

MD5 35200be9cf105f3defe2ae0ee44cea12
SHA1 3f4a09eeb477d3f048cdfb848b95aa39b20d89dc
SHA256 0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527
SHA512 f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

memory/2424-67-0x0000000000400000-0x00000000015DB000-memory.dmp

memory/2424-95-0x0000000002340000-0x000000000234A000-memory.dmp

memory/2424-97-0x0000000002340000-0x000000000234A000-memory.dmp

memory/2424-96-0x0000000002340000-0x000000000234A000-memory.dmp

\Windows\Temp\nsd571.tmp\brh.dll

MD5 915ad39a9a5cac612cee374d81ff8af0
SHA1 d9f20e5174425e063194eefb18ef61ddeed14d4f
SHA256 31de470aadf7ae30d539e8296990b66a83876c9e21460e3b9e4d152e533f9e32
SHA512 24d51ed914796d83e8b73b04fc7db18edde823e57214128106ab250e0798452c6fb2f4ad46acdf26d2d6b5ba4b0820244e97a4b3c9bef826eb6af1efd7475aa5

memory/2424-101-0x00000000032C0000-0x00000000033A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsd12D.tmp\brh.dat

MD5 99569bc87c4b4ccfde67559bba19aab1
SHA1 65d86fc43b1341cf6a77eb8b9a0d7abd2b93ca20
SHA256 24872a9d09ad34ebe40ee9a7887e1b97ba90e802de36051c2faf2acaaf7fa401
SHA512 05400259837be68853062dd7ee8c38754891c1e51871052ba8fc6a84a4461a8e4dd9c41ba230dcb04cfd8ef69e91468e979e7682b54186e313dd6b8462bed4f4

\Users\Admin\AppData\Local\Temp\nsd12D.tmp\IpConfig.dll

MD5 a75e3775daac9958610ce1308e0bca3b
SHA1 d83ce354cde527c2e20fb425415f6d4795dd4cd4
SHA256 fe2093ff4bfa1d7259c922aca1e7bb219c4d234e469942446d9e2f8086b7d720
SHA512 48168a91ec90df262b1e158f32b4bc2a6d6ce10022eb96d4a6f3c755b977e5c104558626adaa214bda29d7f1d246f19e2df59b9a338982aa1c623e1bdd5714c6

memory/2924-150-0x0000000003E10000-0x0000000003E37000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsd12D.tmp\inetc.dll

MD5 1fc1fbb2c7a14b7901fc9abbd6dbef10
SHA1 4d9ed86f31075a3d3f674ff78f39c190a4098126
SHA256 4f26394c93f1acb315c42c351983dafc7f094b2d05db6d7a1ba7dcb39a3a599e
SHA512 76d8ff7fc301cc5ff966ad8be17f0f3f2d869ef797c5a2c55a062305c02133a842906448741bf9818ec369bbb2932b9a9c2193ebc59835b50e8703db0090fdb2

memory/2924-167-0x0000000003010000-0x000000000301A000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsd12D.tmp\MoreInfo.dll

MD5 bd393029cc49b415b6c9aeb8a4936516
SHA1 c67fd92fffd18941bed41bfd6ac4f3b04fd123df
SHA256 227a4fc9408a44faa5eca608a974bd536814f97b8a4d28b4cac479727167b026
SHA512 3bb8e5cf4bea7e8adaa62196e58fff9031f49fd4efa78e5bd3e4b9c4e9ba1523864567521793053595d90abec719761a5964ff3abe04b93b24d52e5ffa4c1f96

\Users\Admin\AppData\Local\Temp\nsd12D.tmp\NSISList.dll

MD5 4b0617493f32b2b5fe5e838eeb885819
SHA1 336e84380420a9caaa9c12af7c8e530135e63c57
SHA256 df3621f83e9d11be45e0e617b899c4ab0241f60ed56494e892dc449482058402
SHA512 5c50cf97cd9a6c699ec7928a08f77f4eaa68105e87a974432e39b637f926f0df8a95ec19bd63465fc438a4ef6349398938bc8d7651de125d13ccab89d1d49143

memory/2924-191-0x0000000003E40000-0x0000000003E64000-memory.dmp

memory/2924-220-0x0000000003E90000-0x0000000003E9A000-memory.dmp

memory/2924-219-0x0000000003E90000-0x0000000003E9A000-memory.dmp

memory/2924-234-0x0000000003E90000-0x0000000003E9A000-memory.dmp

memory/2924-233-0x0000000003E90000-0x0000000003E9A000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsd12D.tmp\SimpleSC.dll

MD5 d63975ce28f801f236c4aca5af726961
SHA1 3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256 e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA512 8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

memory/2924-239-0x0000000003E90000-0x0000000003EA3000-memory.dmp

memory/2924-253-0x0000000003E90000-0x0000000003E9A000-memory.dmp

\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe

MD5 7e6f083c27bc2f551f37119c8833e3bf
SHA1 bc0e3f0ed4c7cafe6ea2f3f5dba37c29ae09001b
SHA256 29a3eb803621d54deaeb8af15735808ae7e3d7204be239111cd9269827e93cee
SHA512 bfca9c08ea1265cf7bf873ae9f26094a28e37ddca58b89c07aedf15266efdc2dcf7e08656d13c9c4a5d3f152f6a4d7a4ddd601a7022a5313444f69836351eb23

C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\service.dat

MD5 433956e0a3deb552c229d63e68240d33
SHA1 c615ed52c77ca5f78dd668877f608e0ce6c637a5
SHA256 7a93d6b1c331e4ac8c0c8ae19f8fdf5fb9ed3ec3fa29e29dc113978f575d4227
SHA512 0fe1c8a4af7e48ae1a43cffc136b730a46f57f1c44fc9b52e71675af25bc111ed551b35432c2a133f9edf5eb5039b84b8d962df1bc220e4a723851f6b78c1a8b

memory/1820-259-0x0000000003080000-0x00000000035C2000-memory.dmp

memory/2924-287-0x0000000003E90000-0x0000000003E9A000-memory.dmp

memory/2924-298-0x0000000003000000-0x000000000300A000-memory.dmp

memory/2924-297-0x0000000003E90000-0x0000000003E9A000-memory.dmp

memory/2924-293-0x0000000003E90000-0x0000000003E9A000-memory.dmp

memory/2924-327-0x0000000003E90000-0x0000000003E9A000-memory.dmp

memory/1364-332-0x0000000000E70000-0x0000000000F2C000-memory.dmp

memory/2924-339-0x0000000003E90000-0x0000000003E9A000-memory.dmp

memory/1520-345-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-346-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-348-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-349-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-352-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-353-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-354-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-350-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-355-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-357-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-347-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-359-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-358-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-360-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-363-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-364-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-365-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/2924-368-0x0000000003010000-0x000000000301A000-memory.dmp

memory/1520-369-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-367-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-370-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-374-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-378-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-376-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-373-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/1520-371-0x0000000001B90000-0x00000000020D2000-memory.dmp

memory/2924-390-0x0000000003E90000-0x0000000003E9A000-memory.dmp

memory/2924-389-0x0000000003010000-0x000000000301A000-memory.dmp

memory/3044-392-0x0000000001C60000-0x00000000021A2000-memory.dmp

memory/3044-394-0x0000000001C60000-0x00000000021A2000-memory.dmp

memory/3044-399-0x0000000001C60000-0x00000000021A2000-memory.dmp

memory/3044-400-0x0000000001C60000-0x00000000021A2000-memory.dmp

memory/3044-402-0x0000000001C60000-0x00000000021A2000-memory.dmp

memory/3044-401-0x0000000001C60000-0x00000000021A2000-memory.dmp

memory/3044-403-0x0000000001C60000-0x00000000021A2000-memory.dmp

memory/3044-404-0x0000000001C60000-0x00000000021A2000-memory.dmp

memory/2924-416-0x0000000003E90000-0x0000000003E9A000-memory.dmp

memory/3044-420-0x0000000001C60000-0x00000000021A2000-memory.dmp

memory/3044-421-0x0000000001C60000-0x00000000021A2000-memory.dmp

memory/3044-422-0x0000000001C60000-0x00000000021A2000-memory.dmp

memory/3044-423-0x0000000001C60000-0x00000000021A2000-memory.dmp

memory/2924-415-0x0000000003E90000-0x0000000003E9A000-memory.dmp

memory/2924-481-0x0000000003E90000-0x0000000003E9A000-memory.dmp

memory/2924-493-0x0000000003E90000-0x0000000003E9A000-memory.dmp

memory/2924-494-0x0000000003E90000-0x0000000003E9A000-memory.dmp

memory/2924-496-0x0000000003E90000-0x0000000003E9A000-memory.dmp

memory/2924-495-0x0000000003E90000-0x0000000003E9A000-memory.dmp

memory/2924-497-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-12 14:10

Reported

2024-06-12 14:13

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCGylfvpPId.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 840 wrote to memory of 4332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 840 wrote to memory of 4332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 840 wrote to memory of 4332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCGylfvpPId.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCGylfvpPId.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 9.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-12 14:10

Reported

2024-06-12 14:13

Platform

win7-20240611-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\lDerpvVTsgA.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\lDerpvVTsgA.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\lDerpvVTsgA.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-12 14:10

Reported

2024-06-12 14:13

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\lDerpvVTsgA.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3552 wrote to memory of 3280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3552 wrote to memory of 3280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3552 wrote to memory of 3280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\lDerpvVTsgA.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\lDerpvVTsgA.dll,#1

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-12 14:10

Reported

2024-06-12 14:13

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\auBVPavMwbA.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\auBVPavMwbA.js

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 14:10

Reported

2024-06-12 14:13

Platform

win10v2004-20240508-en

Max time kernel

121s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe"

Signatures

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\b6853ce52f7d6144b04e5ff97658e701.sys C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A

Stops running service(s)

evasion execution

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\SSL\xv.db C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
File opened for modification C:\Windows\SysWOW64\SSL\6543245b1cb46793 2.cer C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
File opened for modification C:\Windows\SysWOW64\SSL\cert.db C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
File opened for modification C:\Windows\SysWOW64\SSL\x.db C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
File opened for modification C:\Windows\SysWOW64\SSL\xv.db C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
File opened for modification C:\Windows\SysWOW64\SSL\cert.db C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
File opened for modification C:\Windows\SysWOW64\SSL\xtls.db C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
File created C:\Windows\SysWOW64\SSL\cert.db C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
File opened for modification C:\Windows\SysWOW64\SSL\xtls.db C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
File opened for modification C:\Windows\SysWOW64\SSL\6543245b1cb46793 2.cer C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
File opened for modification C:\Windows\SysWOW64\SSL\x.db C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\60cb5ebb756c8327d6337bbd6d4e0c80.ico C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\nspr4.dll C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\softokn3.dll C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\service_64.dat C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\service.dat C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\nss3.dll C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\mozcrt19.dll C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\87908c64f535c12e6c01ab342ac8bfc9.exe C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\WBE_uninstall.dat C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\d44676e41aa285b35ad6810c42d46501 C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\plc4.dll C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\plds4.dll C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\39f45794e48e2f59e28c85f2268ab99f.exe C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\87908c64f535c12e6c01ab342ac8bfc9.exe C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\service_64.dat C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\service.dat C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\kmeuigdmybpidnoh.kmeui C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
File created C:\Windows\39f45794e48e2f59e28c85f2268ab99f.exe C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
File created C:\Windows\uninstaller.dat C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\Telemetry\wscript.exe\JScriptSetScriptStateStarted = "240622046" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\wscript.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\56BF5154-0B48-4ADB-902A-6C8B12E270D9 C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\56BF5154-0B48-4ADB-902A-6C8B12E270D9\LocalService = "8851a48e15ac572110fe90b5c9102a7c" C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\28E4BA8454126140A8672CB55B8734CB00E5C270 C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\28E4BA8454126140A8672CB55B8734CB00E5C270\Blob = 03000000010000001400000028e4ba8454126140a8672cb55b8734cb00e5c27020000000010000000803000030820304308201eca003020102021100de9dc013d6f07f9412bc41817e5c6513300d06092a864886f70d01010b0500302a310b300906035504061302454e311b301906035504030c123635343332343562316362343637393320323020170d3034303631373134313133365a180f32303634303630323134313133365a302a310b300906035504061302454e311b301906035504030c1236353433323435623163623436373933203230820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101005f4efcbf1ae43150ec248af4e45e27219e1d0c862fa7fd1114c50c97112ab75c690bffb2fad011652989589d023c972f573b606cff2a987fa48d9ae9e7bb3f3e11b28065af28ef8e752d6b7ccecf0ca9fcabbda15475a7a1b7c3e2b25e0340d0bdf0fa8a775ad35a5ea6efccc5a96cd6217776d00e1cf04bb3ef60ef2e8643a959c64744ff726c85dfe3af79a3c45cf53101765af84d44e5a1c469132d93be0e024e6a9ca33debf51e90ddded06483ab331d4c4d0599a85356758c6741b0be90041741bceffe18bb5476fd2c9d3cd0547b39b3d78064513f79800c6f8ff95c722bf22bb4ac9c5910bb99a83582b98b88b222f3eba71a8fefc874f9249410cbc8 C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\28E4BA8454126140A8672CB55B8734CB00E5C270 C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\28E4BA8454126140A8672CB55B8734CB00E5C270 C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\28E4BA8454126140A8672CB55B8734CB00E5C270\Blob = 03000000010000001400000028e4ba8454126140a8672cb55b8734cb00e5c27020000000010000000803000030820304308201eca003020102021100de9dc013d6f07f9412bc41817e5c6513300d06092a864886f70d01010b0500302a310b300906035504061302454e311b301906035504030c123635343332343562316362343637393320323020170d3034303631373134313133365a180f32303634303630323134313133365a302a310b300906035504061302454e311b301906035504030c1236353433323435623163623436373933203230820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101005f4efcbf1ae43150ec248af4e45e27219e1d0c862fa7fd1114c50c97112ab75c690bffb2fad011652989589d023c972f573b606cff2a987fa48d9ae9e7bb3f3e11b28065af28ef8e752d6b7ccecf0ca9fcabbda15475a7a1b7c3e2b25e0340d0bdf0fa8a775ad35a5ea6efccc5a96cd6217776d00e1cf04bb3ef60ef2e8643a959c64744ff726c85dfe3af79a3c45cf53101765af84d44e5a1c469132d93be0e024e6a9ca33debf51e90ddded06483ab331d4c4d0599a85356758c6741b0be90041741bceffe18bb5476fd2c9d3cd0547b39b3d78064513f79800c6f8ff95c722bf22bb4ac9c5910bb99a83582b98b88b222f3eba71a8fefc874f9249410cbc8 C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\wscript.exe
PID 1348 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\wscript.exe
PID 1348 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\wscript.exe
PID 1348 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1348 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1348 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1348 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1348 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1348 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4412 wrote to memory of 3096 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4412 wrote to memory of 3096 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4412 wrote to memory of 3096 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1676 wrote to memory of 5324 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\wscript.exe
PID 1676 wrote to memory of 5324 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\wscript.exe
PID 1676 wrote to memory of 5324 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\wscript.exe
PID 1348 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1348 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1348 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1348 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 5708 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 5708 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 5708 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 5544 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 5544 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 5544 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 1348 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe
PID 1348 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe
PID 1348 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe
PID 880 wrote to memory of 5204 N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Windows\SysWOW64\sc.exe
PID 880 wrote to memory of 5204 N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Windows\SysWOW64\sc.exe
PID 880 wrote to memory of 5204 N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Windows\SysWOW64\sc.exe
PID 880 wrote to memory of 3376 N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Windows\SysWOW64\sc.exe
PID 880 wrote to memory of 3376 N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Windows\SysWOW64\sc.exe
PID 880 wrote to memory of 3376 N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Windows\SysWOW64\sc.exe
PID 1348 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe
PID 1348 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe
PID 1348 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe
PID 4068 wrote to memory of 1092 N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Windows\SysWOW64\sc.exe
PID 4068 wrote to memory of 1092 N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Windows\SysWOW64\sc.exe
PID 4068 wrote to memory of 1092 N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Windows\SysWOW64\sc.exe
PID 4068 wrote to memory of 4820 N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Windows\SysWOW64\sc.exe
PID 4068 wrote to memory of 4820 N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Windows\SysWOW64\sc.exe
PID 4068 wrote to memory of 4820 N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Windows\SysWOW64\sc.exe
PID 4068 wrote to memory of 3876 N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Windows\SysWOW64\sc.exe
PID 4068 wrote to memory of 3876 N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Windows\SysWOW64\sc.exe
PID 4068 wrote to memory of 3876 N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Windows\SysWOW64\sc.exe
PID 4068 wrote to memory of 4292 N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Windows\SysWOW64\sc.exe
PID 4068 wrote to memory of 4292 N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Windows\SysWOW64\sc.exe
PID 4068 wrote to memory of 4292 N/A C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe C:\Windows\SysWOW64\sc.exe
PID 6124 wrote to memory of 6120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 6124 wrote to memory of 6120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 6124 wrote to memory of 6120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1348 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe"

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\auBVPavMwbA.js" "C:\Users\Admin\AppData\Local\Temp\nso4363.tmp" "C:\Users\Admin\AppData\Local\Temp\auBVPavMwbA.js"

C:\Windows\SysWOW64\sc.exe

sc create -- binPath= ""C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe" /wl 1"

C:\Windows\SysWOW64\net.exe

net start --

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start --

C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe /wl 1

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\Windows\TEMP\auBVPavMwbA.js" "C:\Windows\TEMP\nsg49DB.tmp" "C:\Windows\TEMP\auBVPavMwbA.js"

C:\Windows\SysWOW64\sc.exe

sc delete --

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f /reg:32

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f /reg:64

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:32

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:64

C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe

"C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe" --install_updater 0

C:\Windows\SysWOW64\sc.exe

sc create 4751186987c488b730105857f007e3b1 binPath= "rundll32.exe C:\Windows\kmeuigdmybpidnoh.kmeui EXMe" start= auto

C:\Windows\SysWOW64\sc.exe

sc failure 4751186987c488b730105857f007e3b1 reset= 30 actions= restart/5000

C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe

"C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe" --install

C:\Windows\SysWOW64\sc.exe

sc create b6853ce52f7d6144b04e5ff97658e701 binpath= system32\drivers\b6853ce52f7d6144b04e5ff97658e701.sys DisplayName= b6853ce52f7d6144b04e5ff97658e701 type= kernel start= system group= PNP_TDI

C:\Windows\SysWOW64\sc.exe

sc start b6853ce52f7d6144b04e5ff97658e701

C:\Windows\SysWOW64\sc.exe

sc create 8851a48e15ac572110fe90b5c9102a7c displayname= 8851a48e15ac572110fe90b5c9102a7c binPath= "C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe" start= auto depend= RPCSS

C:\Windows\SysWOW64\sc.exe

sc start 4751186987c488b730105857f007e3b1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Windows\kmeuigdmybpidnoh.kmeui EXMe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Windows\kmeuigdmybpidnoh.kmeui EXMe

C:\Windows\SysWOW64\sc.exe

sc failure 8851a48e15ac572110fe90b5c9102a7c reset= 60 actions= restart/5000/restart/5000/restart/5000

C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe

"C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32 C:\Windows\kmeuigdmybpidnoh.kmeui EXMe perform_update

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net start b6853ce52f7d6144b04e5ff97658e701

C:\Windows\system32\net.exe

net start b6853ce52f7d6144b04e5ff97658e701

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start b6853ce52f7d6144b04e5ff97658e701

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net start 8851a48e15ac572110fe90b5c9102a7c

C:\Windows\system32\net.exe

net start 8851a48e15ac572110fe90b5c9102a7c

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start 8851a48e15ac572110fe90b5c9102a7c

C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe

"C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp
US 8.8.8.8:53 mansactechnology.com udp

Files

C:\Users\Admin\AppData\Local\Temp\nso4363.tmp\lDerpvVTsgA.dll

MD5 e4bdc739307f32b968e32fcebc9c01f6
SHA1 5f3d406f01579e3e8a67c05d2e31ec369e14604c
SHA256 17d489476f1f2fbe95a5ddb2a95a788528db842153c5582457133a79eb0756e0
SHA512 494ab1baf1ba59aa6cb4209dae8d493b784d289c74ba66b34d826aebb4014bb2fdfa3f30680650408048d9197cab5b945936c36cac9529c220048cef4704224e

C:\Users\Admin\AppData\Local\Temp\nso4363.tmp\CCGylfvpPId.dll

MD5 41061901c1afc95553800c7203a31cd0
SHA1 38fc9f859502166bf5e356b8820ed6a48b060f6d
SHA256 cc0dc4f6b1bf6627532a8c8ab42ad087f3302000632d22713950f0a8c95e8f05
SHA512 c54f0bf158938fa332d482b1190e66cc7856465080fbddc5f7b95ff1f00491d29fa28c49854e6dda73a8e1e11cf2e845754033eb5cfe77327e1625039946c2eb

C:\Users\Admin\AppData\Local\Temp\nso4363.tmp\gHbMwlFrsMB.dll

MD5 31eafd1f2c5bceb7761b52ea85cf6c26
SHA1 51045a6eeddc1832a9a71fe95bb746192b1bbb2b
SHA256 27e62f38be7bd86e3144888e68ae6dd3cd9afccce244825929409b4e94623dd6
SHA512 4aa675ad91e655cb36adabab706d9af07b91e1b0d71799f0a4068f02765d6010cdc15ef59eb15758e569cede0161d5e8797f4f39b7dcbfb97b95770acc18e4a8

memory/1348-21-0x0000000000400000-0x00000000015DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\auBVPavMwbA.js

MD5 a35b87106725234045494a6404a003f9
SHA1 f4d1a2529a271946382c17132a5ebea6449a753f
SHA256 17aa4126885d2299ada9a5e3fa5c21dc52e133bfed72a25a96e0152044ea2cd4
SHA512 7924482b9e20801dd8d7abacd6fc4d2a1f182e4f663b0a519518e33c04b482d35d17d277af1e9555f9e8a3a92e67935dabbc5302507b2924ac4cc9b34546dd17

C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

memory/1348-37-0x0000000003930000-0x000000000393A000-memory.dmp

memory/1348-36-0x0000000003930000-0x000000000393A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\md5dll.dll

MD5 7059f133ea2316b9e7e39094a52a8c34
SHA1 ee9f1487c8152d8c42fecf2efb8ed1db68395802
SHA256 32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f
SHA512 9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\nsExec.dll

MD5 35200be9cf105f3defe2ae0ee44cea12
SHA1 3f4a09eeb477d3f048cdfb848b95aa39b20d89dc
SHA256 0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527
SHA512 f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

memory/1676-71-0x0000000000400000-0x00000000015DB000-memory.dmp

memory/1676-84-0x0000000002580000-0x000000000258A000-memory.dmp

memory/1676-83-0x0000000002580000-0x000000000258A000-memory.dmp

memory/1676-92-0x0000000002580000-0x000000000258A000-memory.dmp

memory/1676-106-0x0000000002580000-0x000000000258A000-memory.dmp

memory/1676-105-0x0000000002580000-0x000000000258A000-memory.dmp

C:\Windows\Temp\nsx4C11.tmp\brh.dll

MD5 915ad39a9a5cac612cee374d81ff8af0
SHA1 d9f20e5174425e063194eefb18ef61ddeed14d4f
SHA256 31de470aadf7ae30d539e8296990b66a83876c9e21460e3b9e4d152e533f9e32
SHA512 24d51ed914796d83e8b73b04fc7db18edde823e57214128106ab250e0798452c6fb2f4ad46acdf26d2d6b5ba4b0820244e97a4b3c9bef826eb6af1efd7475aa5

memory/1676-109-0x00000000042C0000-0x00000000043A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\brh.dat

MD5 99569bc87c4b4ccfde67559bba19aab1
SHA1 65d86fc43b1341cf6a77eb8b9a0d7abd2b93ca20
SHA256 24872a9d09ad34ebe40ee9a7887e1b97ba90e802de36051c2faf2acaaf7fa401
SHA512 05400259837be68853062dd7ee8c38754891c1e51871052ba8fc6a84a4461a8e4dd9c41ba230dcb04cfd8ef69e91468e979e7682b54186e313dd6b8462bed4f4

C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\IpConfig.dll

MD5 a75e3775daac9958610ce1308e0bca3b
SHA1 d83ce354cde527c2e20fb425415f6d4795dd4cd4
SHA256 fe2093ff4bfa1d7259c922aca1e7bb219c4d234e469942446d9e2f8086b7d720
SHA512 48168a91ec90df262b1e158f32b4bc2a6d6ce10022eb96d4a6f3c755b977e5c104558626adaa214bda29d7f1d246f19e2df59b9a338982aa1c623e1bdd5714c6

memory/1348-173-0x0000000003930000-0x0000000003957000-memory.dmp

memory/1348-184-0x0000000003960000-0x000000000396A000-memory.dmp

memory/1348-185-0x0000000003960000-0x000000000396A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\inetc.dll

MD5 1fc1fbb2c7a14b7901fc9abbd6dbef10
SHA1 4d9ed86f31075a3d3f674ff78f39c190a4098126
SHA256 4f26394c93f1acb315c42c351983dafc7f094b2d05db6d7a1ba7dcb39a3a599e
SHA512 76d8ff7fc301cc5ff966ad8be17f0f3f2d869ef797c5a2c55a062305c02133a842906448741bf9818ec369bbb2932b9a9c2193ebc59835b50e8703db0090fdb2

C:\Windows\TEMP\nsg49DB.tmp\YdSLBLjn.gif

MD5 76d55de34d422ce2d0cfd50cd69e8504
SHA1 3840919f4b55f13cc80a8f22aacf7b7826d8572d
SHA256 207ad318eb1f2872831661e135af8f6ee17555e19cf46132d72fcd17cfe994e3
SHA512 a7727239b9cf84ade24ab21f902d43ddfbd37ed8656ee9b01c98b11db50f2c6848a931ea8f8c4e74445df1041578d04ac70185ebdaeaa5033c7b1d81b5361cd7

memory/1348-203-0x0000000003930000-0x000000000393A000-memory.dmp

memory/1348-204-0x0000000003960000-0x000000000396A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\MoreInfo.dll

MD5 bd393029cc49b415b6c9aeb8a4936516
SHA1 c67fd92fffd18941bed41bfd6ac4f3b04fd123df
SHA256 227a4fc9408a44faa5eca608a974bd536814f97b8a4d28b4cac479727167b026
SHA512 3bb8e5cf4bea7e8adaa62196e58fff9031f49fd4efa78e5bd3e4b9c4e9ba1523864567521793053595d90abec719761a5964ff3abe04b93b24d52e5ffa4c1f96

C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\NSISList.dll

MD5 4b0617493f32b2b5fe5e838eeb885819
SHA1 336e84380420a9caaa9c12af7c8e530135e63c57
SHA256 df3621f83e9d11be45e0e617b899c4ab0241f60ed56494e892dc449482058402
SHA512 5c50cf97cd9a6c699ec7928a08f77f4eaa68105e87a974432e39b637f926f0df8a95ec19bd63465fc438a4ef6349398938bc8d7651de125d13ccab89d1d49143

memory/1348-231-0x00000000040C0000-0x00000000040E4000-memory.dmp

memory/1348-278-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-277-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-276-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-273-0x0000000005700000-0x000000000570A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\SimpleSC.dll

MD5 d63975ce28f801f236c4aca5af726961
SHA1 3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256 e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA512 8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

memory/1348-282-0x0000000005700000-0x0000000005713000-memory.dmp

memory/1348-298-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-295-0x0000000005700000-0x000000000570A000-memory.dmp

memory/880-300-0x0000000002EE0000-0x0000000003422000-memory.dmp

memory/1348-310-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-324-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-321-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-316-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-340-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-344-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-343-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-341-0x0000000005700000-0x000000000570A000-memory.dmp

C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\87908c64f535c12e6c01ab342ac8bfc9.exe

MD5 7e6f083c27bc2f551f37119c8833e3bf
SHA1 bc0e3f0ed4c7cafe6ea2f3f5dba37c29ae09001b
SHA256 29a3eb803621d54deaeb8af15735808ae7e3d7204be239111cd9269827e93cee
SHA512 bfca9c08ea1265cf7bf873ae9f26094a28e37ddca58b89c07aedf15266efdc2dcf7e08656d13c9c4a5d3f152f6a4d7a4ddd601a7022a5313444f69836351eb23

memory/6120-372-0x0000000001B10000-0x0000000001BCC000-memory.dmp

memory/1348-382-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-381-0x0000000005700000-0x000000000570A000-memory.dmp

memory/3108-389-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-390-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-392-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-391-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-394-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-395-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-393-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-397-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-400-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-399-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-401-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-402-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-403-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-404-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-407-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-411-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-412-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-410-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-409-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-408-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-413-0x0000000002010000-0x0000000002552000-memory.dmp

memory/3108-415-0x0000000002010000-0x0000000002552000-memory.dmp

memory/940-421-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/940-420-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/940-423-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/940-422-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/940-424-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/940-425-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/940-428-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/940-427-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/940-429-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/940-430-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/940-426-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/940-431-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/940-432-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/940-433-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/940-434-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/940-436-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/940-439-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/940-438-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/940-437-0x0000000002770000-0x0000000002CB2000-memory.dmp

memory/1348-460-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-485-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-482-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-480-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-525-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-531-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-528-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-526-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-532-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-543-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-542-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-545-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-544-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-546-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-547-0x0000000005700000-0x000000000570A000-memory.dmp

memory/1348-548-0x0000000005700000-0x000000000570A000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 14:10

Reported

2024-06-12 14:13

Platform

win7-20240508-en

Max time kernel

118s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCGylfvpPId.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2980 wrote to memory of 2976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2980 wrote to memory of 2976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2980 wrote to memory of 2976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2980 wrote to memory of 2976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2980 wrote to memory of 2976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2980 wrote to memory of 2976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCGylfvpPId.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCGylfvpPId.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-12 14:10

Reported

2024-06-12 14:13

Platform

win7-20240419-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gHbMwlFrsMB.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gHbMwlFrsMB.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gHbMwlFrsMB.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-12 14:10

Reported

2024-06-12 14:13

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gHbMwlFrsMB.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4932 wrote to memory of 3756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4932 wrote to memory of 3756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4932 wrote to memory of 3756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gHbMwlFrsMB.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gHbMwlFrsMB.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A