Malware Analysis Report

2024-08-06 14:18

Sample ID 240619-17xd7athqc
Target 00d65b51da1e62f713a634679924b4a2_JaffaCakes118
SHA256 50d58f3bd8eece301f8a6dda5159f5a2f8769d0d97aec133f1eae3a4665b49e6
Tags
modiloader persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

50d58f3bd8eece301f8a6dda5159f5a2f8769d0d97aec133f1eae3a4665b49e6

Threat Level: Known bad

The file 00d65b51da1e62f713a634679924b4a2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader persistence privilege_escalation trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Deletes itself

Executes dropped EXE

Enumerates connected drives

Suspicious use of SetThreadContext

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Event Triggered Execution: Accessibility Features

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Event Triggered Execution
T1546
Accessibility Features
T1546.008
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Accessibility Features
T1546.008
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 22:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 22:18

Reported

2024-06-19 22:20

Platform

win7-20240221-en

Max time kernel

141s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\windows_ipcomfig N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened for modification C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File created F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened for modification F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2060 set thread context of 2596 N/A C:\Windows\windows_ipcomfig C:\Windows\SysWOW64\osk.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\_windows_ipcomfig C:\Windows\windows_ipcomfig N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\_windows_ipcomfig C:\Windows\windows_ipcomfig N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windows_ipcomfig C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\windows_ipcomfig C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File created C:\Windows\SgotoDel.bat C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A

Event Triggered Execution: Accessibility Features

persistence privilege_escalation

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\windows_ipcomfig

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 292 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe C:\Windows\windows_ipcomfig
PID 292 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe C:\Windows\windows_ipcomfig
PID 292 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe C:\Windows\windows_ipcomfig
PID 292 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe C:\Windows\windows_ipcomfig
PID 2060 wrote to memory of 2596 N/A C:\Windows\windows_ipcomfig C:\Windows\SysWOW64\osk.exe
PID 2060 wrote to memory of 2596 N/A C:\Windows\windows_ipcomfig C:\Windows\SysWOW64\osk.exe
PID 2060 wrote to memory of 2596 N/A C:\Windows\windows_ipcomfig C:\Windows\SysWOW64\osk.exe
PID 2060 wrote to memory of 2596 N/A C:\Windows\windows_ipcomfig C:\Windows\SysWOW64\osk.exe
PID 2060 wrote to memory of 2596 N/A C:\Windows\windows_ipcomfig C:\Windows\SysWOW64\osk.exe
PID 2060 wrote to memory of 2596 N/A C:\Windows\windows_ipcomfig C:\Windows\SysWOW64\osk.exe
PID 2060 wrote to memory of 2712 N/A C:\Windows\windows_ipcomfig C:\Windows\SysWOW64\WerFault.exe
PID 2060 wrote to memory of 2712 N/A C:\Windows\windows_ipcomfig C:\Windows\SysWOW64\WerFault.exe
PID 2060 wrote to memory of 2712 N/A C:\Windows\windows_ipcomfig C:\Windows\SysWOW64\WerFault.exe
PID 2060 wrote to memory of 2712 N/A C:\Windows\windows_ipcomfig C:\Windows\SysWOW64\WerFault.exe
PID 292 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe"

C:\Windows\windows_ipcomfig

C:\Windows\windows_ipcomfig

C:\Windows\SysWOW64\osk.exe

"C:\Windows\system32\osk.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 300

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\SgotoDel.bat

Network

N/A

Files

memory/292-1-0x0000000000280000-0x00000000002D4000-memory.dmp

memory/292-0-0x0000000000400000-0x0000000000513000-memory.dmp

memory/292-11-0x0000000003230000-0x0000000003330000-memory.dmp

memory/292-10-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/292-64-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-74-0x0000000003330000-0x0000000003331000-memory.dmp

memory/292-73-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-72-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-71-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-70-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-69-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-68-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-67-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-66-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-65-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-63-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-62-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-61-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-60-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-59-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-58-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-57-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-56-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-55-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-54-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-53-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-52-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-51-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-50-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-49-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-48-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-47-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-46-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-45-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-44-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-43-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-42-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-41-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-40-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-39-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-38-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-37-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-36-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-35-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-34-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-33-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-32-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-31-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-30-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-29-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-28-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-27-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-26-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-25-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-24-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-23-0x0000000003330000-0x0000000003331000-memory.dmp

memory/292-22-0x0000000003330000-0x0000000003331000-memory.dmp

memory/292-21-0x0000000003330000-0x0000000003331000-memory.dmp

memory/292-20-0x0000000003330000-0x0000000003331000-memory.dmp

memory/292-19-0x0000000003330000-0x0000000003331000-memory.dmp

memory/292-18-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-17-0x0000000003240000-0x0000000003241000-memory.dmp

memory/292-16-0x0000000003240000-0x0000000003241000-memory.dmp

memory/292-15-0x0000000003240000-0x0000000003241000-memory.dmp

memory/292-14-0x0000000003240000-0x0000000003241000-memory.dmp

memory/292-13-0x0000000003240000-0x0000000003241000-memory.dmp

memory/292-12-0x0000000003240000-0x0000000003241000-memory.dmp

memory/292-9-0x0000000000580000-0x0000000000581000-memory.dmp

memory/292-8-0x0000000000550000-0x0000000000551000-memory.dmp

memory/292-7-0x0000000000560000-0x0000000000561000-memory.dmp

memory/292-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/292-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/292-4-0x0000000000570000-0x0000000000571000-memory.dmp

memory/292-3-0x0000000000520000-0x0000000000521000-memory.dmp

memory/292-2-0x0000000000540000-0x0000000000541000-memory.dmp

F:\windows_ipcomfig

MD5 00d65b51da1e62f713a634679924b4a2
SHA1 a804276e193a3f3e242ad144cbc7d253ac8b51e1
SHA256 50d58f3bd8eece301f8a6dda5159f5a2f8769d0d97aec133f1eae3a4665b49e6
SHA512 f782256cf4e321ca001bb7c6010eb82ece392b005b921d40ca9ebc2ed705a92f4c332a2f9f1e755408947bae24111f9518bd63ed952b84da95b4168c658be036

memory/292-90-0x0000000004370000-0x0000000004483000-memory.dmp

memory/2060-92-0x0000000000400000-0x0000000000513000-memory.dmp

memory/292-91-0x0000000004370000-0x0000000004483000-memory.dmp

memory/2596-96-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2596-98-0x0000000000400000-0x0000000000513000-memory.dmp

memory/2596-99-0x0000000000400000-0x0000000000513000-memory.dmp

memory/292-101-0x0000000000400000-0x0000000000513000-memory.dmp

memory/2060-102-0x0000000000400000-0x0000000000513000-memory.dmp

memory/292-103-0x0000000000280000-0x00000000002D4000-memory.dmp

memory/292-104-0x0000000003230000-0x0000000003330000-memory.dmp

memory/292-107-0x0000000003330000-0x0000000003331000-memory.dmp

memory/292-106-0x0000000003230000-0x0000000003231000-memory.dmp

memory/292-109-0x0000000004370000-0x0000000004483000-memory.dmp

memory/292-110-0x0000000004370000-0x0000000004483000-memory.dmp

C:\Windows\SgotoDel.bat

MD5 3ee84fb381a9315eb3aea3dfd286a52d
SHA1 184a3fba83b9c6a8098d515c26d0135670cb1a6e
SHA256 1e342370ee60541fa466b802e44b11239db6a58dd8eb683c46f0ccae474aabbc
SHA512 2c4f47237705dcf38b08560e7ae695609a2769d0eca4b71a199f7c9125847dd79e622c7eed2d1a287499857eba42d852dd54802474b0b15665d03ae36f45983e

memory/292-121-0x0000000000400000-0x0000000000513000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 22:18

Reported

2024-06-19 22:20

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\windows_ipcomfig N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File created F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened for modification F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File created C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\_windows_ipcomfig C:\Windows\windows_ipcomfig N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\_windows_ipcomfig C:\Windows\windows_ipcomfig N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windows_ipcomfig C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\windows_ipcomfig C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A
File created C:\Windows\SgotoDel.bat C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\windows_ipcomfig

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4756 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe C:\Windows\windows_ipcomfig
PID 4756 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe C:\Windows\windows_ipcomfig
PID 4756 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe C:\Windows\windows_ipcomfig
PID 1596 wrote to memory of 3560 N/A C:\Windows\windows_ipcomfig C:\program files\internet explorer\IEXPLORE.EXE
PID 1596 wrote to memory of 3560 N/A C:\Windows\windows_ipcomfig C:\program files\internet explorer\IEXPLORE.EXE
PID 4756 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe"

C:\Windows\windows_ipcomfig

C:\Windows\windows_ipcomfig

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1596 -ip 1596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 684

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\SgotoDel.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4756-1-0x0000000002180000-0x00000000021D4000-memory.dmp

memory/4756-0-0x0000000000400000-0x0000000000513000-memory.dmp

memory/4756-34-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-33-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-32-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-31-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-30-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-55-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-54-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-53-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-52-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-51-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-50-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-49-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-48-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-47-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-46-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-45-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-44-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-43-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-42-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-41-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-40-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-39-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-38-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-37-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-36-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-35-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-29-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-28-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-27-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-26-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-25-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-24-0x0000000003450000-0x0000000003451000-memory.dmp

memory/4756-23-0x0000000003450000-0x0000000003451000-memory.dmp

memory/4756-22-0x0000000003450000-0x0000000003451000-memory.dmp

memory/4756-21-0x0000000003450000-0x0000000003451000-memory.dmp

memory/4756-20-0x0000000003450000-0x0000000003451000-memory.dmp

memory/4756-19-0x0000000003450000-0x0000000003451000-memory.dmp

memory/4756-18-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4756-17-0x0000000003360000-0x0000000003361000-memory.dmp

memory/4756-16-0x0000000003360000-0x0000000003361000-memory.dmp

memory/4756-15-0x0000000003360000-0x0000000003361000-memory.dmp

memory/4756-14-0x0000000003360000-0x0000000003361000-memory.dmp

memory/4756-13-0x0000000003360000-0x0000000003361000-memory.dmp

memory/4756-12-0x0000000003360000-0x0000000003361000-memory.dmp

memory/4756-11-0x0000000003360000-0x0000000003361000-memory.dmp

memory/4756-10-0x0000000002390000-0x0000000002391000-memory.dmp

memory/4756-9-0x0000000002400000-0x0000000002401000-memory.dmp

memory/4756-8-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/4756-7-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/4756-6-0x0000000002370000-0x0000000002371000-memory.dmp

memory/4756-5-0x0000000002380000-0x0000000002381000-memory.dmp

memory/4756-4-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/4756-3-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/4756-2-0x00000000023C0000-0x00000000023C1000-memory.dmp

F:\windows_ipcomfig

MD5 00d65b51da1e62f713a634679924b4a2
SHA1 a804276e193a3f3e242ad144cbc7d253ac8b51e1
SHA256 50d58f3bd8eece301f8a6dda5159f5a2f8769d0d97aec133f1eae3a4665b49e6
SHA512 f782256cf4e321ca001bb7c6010eb82ece392b005b921d40ca9ebc2ed705a92f4c332a2f9f1e755408947bae24111f9518bd63ed952b84da95b4168c658be036

memory/1596-69-0x0000000000400000-0x0000000000513000-memory.dmp

memory/4756-75-0x0000000000400000-0x0000000000513000-memory.dmp

memory/4756-76-0x0000000002180000-0x00000000021D4000-memory.dmp

C:\Windows\SgotoDel.bat

MD5 3ee84fb381a9315eb3aea3dfd286a52d
SHA1 184a3fba83b9c6a8098d515c26d0135670cb1a6e
SHA256 1e342370ee60541fa466b802e44b11239db6a58dd8eb683c46f0ccae474aabbc
SHA512 2c4f47237705dcf38b08560e7ae695609a2769d0eca4b71a199f7c9125847dd79e622c7eed2d1a287499857eba42d852dd54802474b0b15665d03ae36f45983e

memory/1596-78-0x0000000000400000-0x0000000000513000-memory.dmp