Malware Analysis Report

2024-08-06 13:13

Sample ID 240616-az85xasajc
Target b0f0683358f3f66718dcdea684a959cc_JaffaCakes118
SHA256 476dd6c64a2e5c0547956069693b4072929a9a264d05e0d7ade0ba784e22377d
Tags
asyncrat evasion rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

476dd6c64a2e5c0547956069693b4072929a9a264d05e0d7ade0ba784e22377d

Threat Level: Known bad

The file b0f0683358f3f66718dcdea684a959cc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

asyncrat evasion rat

AsyncRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Async RAT payload

Checks BIOS information in registry

Executes dropped EXE

Checks computer location settings

Identifies Wine through registry keys

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 00:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 00:40

Reported

2024-06-16 00:42

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1632 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1632 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1632 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Driver" /tr "C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe" /f

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {A45BBF0D-A24B-462C-B248-B708DC905529} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp

Files

memory/1632-0-0x00000000001A0000-0x000000000051E000-memory.dmp

memory/1632-1-0x00000000001A0000-0x000000000051E000-memory.dmp

memory/1632-2-0x00000000001A0000-0x000000000051E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 00:40

Reported

2024-06-16 00:42

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2432 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2432 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1240 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe C:\Windows\SysWOW64\schtasks.exe
PID 1240 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe C:\Windows\SysWOW64\schtasks.exe
PID 1240 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe C:\Windows\SysWOW64\schtasks.exe
PID 4376 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe C:\Windows\SysWOW64\schtasks.exe
PID 4376 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe C:\Windows\SysWOW64\schtasks.exe
PID 4376 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b0f0683358f3f66718dcdea684a959cc_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Driver" /tr "C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe" /f

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe

"C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Driver" /tr "C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe" /f

C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe

"C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Driver" /tr "C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

memory/2432-0-0x00000000006B0000-0x0000000000A2E000-memory.dmp

memory/2432-1-0x00000000006B0000-0x0000000000A2E000-memory.dmp

memory/2432-2-0x00000000006B0000-0x0000000000A2E000-memory.dmp

memory/2432-8-0x00000000006B0000-0x0000000000A2E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows Driver\Windows Driver.exe

MD5 b0f0683358f3f66718dcdea684a959cc
SHA1 f59c306fbc3129d09ba4e4ad8321c72a4858209c
SHA256 476dd6c64a2e5c0547956069693b4072929a9a264d05e0d7ade0ba784e22377d
SHA512 4635a3bb6f88fb9c8ece85e13510ecbc8b0f5e955ce234c23a70833c3a93398c96a8847e06c0913dbff01228b3198850b7f530e90095f0e91e2efc7cd8f6b36b

memory/1240-12-0x0000000000E90000-0x000000000120E000-memory.dmp

memory/1240-14-0x0000000000E90000-0x000000000120E000-memory.dmp

memory/1240-15-0x0000000000E90000-0x000000000120E000-memory.dmp

memory/1240-18-0x0000000000E90000-0x000000000120E000-memory.dmp

memory/4376-27-0x0000000000E90000-0x000000000120E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Driver.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/4376-29-0x0000000000E90000-0x000000000120E000-memory.dmp

memory/4376-30-0x0000000000E90000-0x000000000120E000-memory.dmp

memory/4376-32-0x0000000000E90000-0x000000000120E000-memory.dmp