Malware Analysis Report

2025-01-06 07:35

Sample ID 240613-fzaj8syhlp
Target a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118
SHA256 7c267f393664ccc38c7a4fb521587e77db7fc7e3a157a9ef5c19783f03a67c76
Tags
evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7c267f393664ccc38c7a4fb521587e77db7fc7e3a157a9ef5c19783f03a67c76

Threat Level: Shows suspicious behavior

The file a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion persistence

Loads dropped DLL

Identifies Wine through registry keys

Executes dropped EXE

Deletes itself

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:18

Reported

2024-06-13 05:20

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\WINE C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\WINE C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2B70E722-2822-6411-6EE8-CE486FCBB77F} = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\MozillaCtrl.exe" C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 760 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
PID 760 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
PID 760 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
PID 760 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
PID 760 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
PID 760 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
PID 760 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
PID 760 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
PID 4432 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe
PID 4432 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe
PID 4432 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe
PID 3844 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe
PID 3844 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe
PID 3844 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe
PID 3844 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe
PID 3844 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe
PID 3844 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe
PID 3844 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe
PID 3844 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe
PID 4432 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe

"C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe"

C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe

"C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp145175b8.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.89:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 89.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 nlo2014.in udp
US 8.8.8.8:53 nlo2014.in udp
US 8.8.8.8:53 nlo2014.in udp
US 8.8.8.8:53 nlo2014.in udp
US 8.8.8.8:53 nlo2014.in udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/4432-3-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4432-6-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4432-7-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4432-9-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4432-8-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4432-10-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe

MD5 a5c87a512015b79ada094713c9b57d08
SHA1 4420f3affd65187020cd8169fac388a9c8682a4c
SHA256 ec2743acc3963fda6e7066d04bba066a6aba53add5966660452677e9365d6b06
SHA512 de991d85d1b8ed26e1f6edd7081d850157031a41064bc23a0d81d01c732a2e7079fa279a0f13c5bb6ddfb0447aaf0c08e53598ea5484273622296aadcf098d18

memory/1988-24-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4432-28-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp145175b8.bat

MD5 5e80abb0a4cafae332d236b408c28e6c
SHA1 962ce6ee8e730754e35f40c91cdab8eadee559eb
SHA256 f2f61b66672e11cde650368b83f442b3464acb2b1e07fe776f788e09f6f4f33c
SHA512 c38b4af1043382e91903c9d35bd5bde46c68ce3da661507afa65497d691b2c55397644e9f6e04a5db9fdca99f68d81b8c74af9375ca64aeea6904ca09de77b19

memory/1988-30-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1988-37-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1988-36-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1988-35-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1988-34-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1988-33-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1988-32-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1988-31-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1988-38-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1988-39-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1988-40-0x0000000000400000-0x0000000000441000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:18

Reported

2024-06-13 05:20

Platform

win7-20231129-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\WINE C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\WINE C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\{B3708393-D6A3-F2AF-9614-938E0BD1CD2F} C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
PID 2232 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
PID 2232 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
PID 2232 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
PID 2232 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
PID 2232 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
PID 2232 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
PID 2232 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
PID 2232 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
PID 2248 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe
PID 2248 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe
PID 2248 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe
PID 2248 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe
PID 2380 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe
PID 2380 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe
PID 2380 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe
PID 2380 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe
PID 2380 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe
PID 2380 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe
PID 2380 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe
PID 2380 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe
PID 2380 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe
PID 2248 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe

"C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe"

C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe

"C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf3479a3e.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nlo2014.in udp

Files

memory/2248-3-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2248-6-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2248-8-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2248-7-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2248-9-0x0000000000400000-0x0000000000441000-memory.dmp

\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe

MD5 88c0b2df4d12618f413a3aaa7f698faf
SHA1 b23b06536b4eb53262a8528377614b11bcc6192e
SHA256 9a72c071710582bb614df1ecaabf4b5e192c8f1fef9f2bc9d5c23efd6c6165a1
SHA512 3db1f4e54ddc0e2931b3b09ecbd87e1ff26e6c3115730ab3cb69df954cfa7ae7c5fcc304909870aa03cce7369c0fda82787307ba321f9e3a79abc04d13671b1b

memory/2732-29-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2248-32-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpf3479a3e.bat

MD5 dca2cd508f1237e56ead31d3fbd29ee2
SHA1 405c178a54c30c8642697a07b1464bb89e4b7bb3
SHA256 7e6b031cabeee885699195beeb427964faf9abe50a3ec5248cb9794d09e6b368
SHA512 acd96e31701db3a5a4e201e8cad2551465879da5a0a97605647b44727462aff5ea63390c6ed66ebc95a1e9ec7ac6edc3ce6a060a1f0296f0f5d4e65bbbd2908c

memory/2732-39-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2732-41-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2732-40-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2732-38-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2732-37-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2732-36-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2732-35-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2732-34-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2732-42-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2732-43-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2732-44-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2732-45-0x0000000000400000-0x0000000000441000-memory.dmp