Analysis Overview
SHA256
a571cbff7518319ff7a3177fd480ccbcf7bec4a8e6694b07b4cb2e8d267e1a7c
Threat Level: Known bad
The file 0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0strat family
Gh0st RAT payload
Gh0strat
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-19 19:46
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-19 19:46
Reported
2024-06-19 19:49
Platform
win7-20240611-en
Max time kernel
126s
Max time network
125s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\WINDOWS\\Ball.exe" | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\Ball.exe | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
| File opened for modification | C:\WINDOWS\Ball.exe | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2011529111153.exe
"C:\Users\Admin\AppData\Local\Temp\2011529111153.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | baike2011.3322.org | udp |
Files
C:\Windows\Temp\zk.exe
| MD5 | 7d86edf22313fa5d5eb1c54be6f6a324 |
| SHA1 | 8eeb4548895910fbc7075dda25361ce959c95bdf |
| SHA256 | e45adc891873e7f3de969313430c494ed6d1e07086208bf5a01094ffe9046c4f |
| SHA512 | 64f88917cf394de7ee603f7acf00e9d6b0cafb7083a46669ad106a776a60443898a906a5a05c917a31fc24780f94149d2628a541a645ac8d4f094c67055de69c |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-19 19:46
Reported
2024-06-19 19:49
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\WINDOWS\\Ball.exe" | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\Ball.exe | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
| File opened for modification | C:\WINDOWS\Ball.exe | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111153.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2011529111153.exe
"C:\Users\Admin\AppData\Local\Temp\2011529111153.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | baike2011.3322.org | udp |
| US | 8.8.8.8:53 | baike2011.3322.org | udp |
| US | 8.8.8.8:53 | baike2011.3322.org | udp |
Files
C:\Windows\Temp\zk.exe
| MD5 | 7d86edf22313fa5d5eb1c54be6f6a324 |
| SHA1 | 8eeb4548895910fbc7075dda25361ce959c95bdf |
| SHA256 | e45adc891873e7f3de969313430c494ed6d1e07086208bf5a01094ffe9046c4f |
| SHA512 | 64f88917cf394de7ee603f7acf00e9d6b0cafb7083a46669ad106a776a60443898a906a5a05c917a31fc24780f94149d2628a541a645ac8d4f094c67055de69c |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-19 19:46
Reported
2024-06-19 19:49
Platform
win7-20240508-en
Max time kernel
140s
Max time network
118s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111155.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111155.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111155.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111155.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2011529111155.exe
"C:\Users\Admin\AppData\Local\Temp\2011529111155.exe"
Network
Files
memory/1600-4-0x0000000010000000-0x000000001003D000-memory.dmp
\Users\Admin\AppData\Local\Temp\SkinH_EL.dll
| MD5 | 147127382e001f495d1842ee7a9e7912 |
| SHA1 | 92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b |
| SHA256 | edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc |
| SHA512 | 97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d |
memory/1600-8-0x0000000010009000-0x000000001000A000-memory.dmp
memory/1600-10-0x0000000010000000-0x000000001003D000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-19 19:46
Reported
2024-06-19 19:49
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111155.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2011529111155.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2011529111155.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111155.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111155.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2011529111155.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2011529111155.exe
"C:\Users\Admin\AppData\Local\Temp\2011529111155.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4588 -ip 4588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4588 -ip 4588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 728
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll
| MD5 | 147127382e001f495d1842ee7a9e7912 |
| SHA1 | 92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b |
| SHA256 | edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc |
| SHA512 | 97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d |
memory/4588-7-0x0000000010009000-0x000000001000A000-memory.dmp
memory/4588-6-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4588-8-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4588-9-0x0000000010000000-0x000000001003D000-memory.dmp
memory/4588-10-0x0000000010000000-0x000000001003D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 19:46
Reported
2024-06-19 19:49
Platform
win7-20240508-en
Max time kernel
141s
Max time network
119s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111155.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111155.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111155.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111155.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111155.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\WINDOWS\\Ball.exe" | C:\Windows\temp\2011529111153.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\Ball.exe | C:\Windows\temp\2011529111153.exe | N/A |
| File opened for modification | C:\WINDOWS\Ball.exe | C:\Windows\temp\2011529111153.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\temp\2011529111153.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\temp\2011529111155.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111155.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111155.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe"
C:\Windows\temp\2011529111153.exe
"C:\Windows\temp\2011529111153.exe"
C:\Windows\temp\2011529111155.exe
"C:\Windows\temp\2011529111155.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | baike2011.3322.org | udp |
Files
\Windows\Temp\2011529111153.exe
| MD5 | 7d86edf22313fa5d5eb1c54be6f6a324 |
| SHA1 | 8eeb4548895910fbc7075dda25361ce959c95bdf |
| SHA256 | e45adc891873e7f3de969313430c494ed6d1e07086208bf5a01094ffe9046c4f |
| SHA512 | 64f88917cf394de7ee603f7acf00e9d6b0cafb7083a46669ad106a776a60443898a906a5a05c917a31fc24780f94149d2628a541a645ac8d4f094c67055de69c |
\Windows\Temp\2011529111155.exe
| MD5 | 88c3255b87af2fbc78529daac66d02c1 |
| SHA1 | 8215823855a427ba69a4ca8edab8f340e8a9bfde |
| SHA256 | dd87e30afab371f9be168cbdb0bed2496b12e4631c388bddfe57a232071df227 |
| SHA512 | b0740b2e401aa629099a6a0b099ba9ea6cf9c59bc2f96e493adbca8db0d541ab987df70eff4257afebe33edb5d3be2362bf28fc4809da27499a092de7cc158c5 |
\Windows\Temp\SkinH_EL.dll
| MD5 | 147127382e001f495d1842ee7a9e7912 |
| SHA1 | 92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b |
| SHA256 | edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc |
| SHA512 | 97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d |
memory/2556-35-0x0000000010000000-0x000000001003D000-memory.dmp
memory/2556-39-0x0000000010000000-0x000000001003D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 19:46
Reported
2024-06-19 19:49
Platform
win10v2004-20240508-en
Max time kernel
126s
Max time network
134s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111155.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\temp\2011529111155.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\WINDOWS\\Ball.exe" | C:\Windows\temp\2011529111153.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\Ball.exe | C:\Windows\temp\2011529111153.exe | N/A |
| File opened for modification | C:\WINDOWS\Ball.exe | C:\Windows\temp\2011529111153.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\temp\2011529111155.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\temp\2011529111155.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111153.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\temp\2011529111153.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\temp\2011529111155.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111155.exe | N/A |
| N/A | N/A | C:\Windows\temp\2011529111155.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2408 wrote to memory of 4268 | N/A | C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe | C:\Windows\temp\2011529111153.exe |
| PID 2408 wrote to memory of 4268 | N/A | C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe | C:\Windows\temp\2011529111153.exe |
| PID 2408 wrote to memory of 4268 | N/A | C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe | C:\Windows\temp\2011529111153.exe |
| PID 2408 wrote to memory of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe | C:\Windows\temp\2011529111155.exe |
| PID 2408 wrote to memory of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe | C:\Windows\temp\2011529111155.exe |
| PID 2408 wrote to memory of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe | C:\Windows\temp\2011529111155.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe"
C:\Windows\temp\2011529111153.exe
"C:\Windows\temp\2011529111153.exe"
C:\Windows\temp\2011529111155.exe
"C:\Windows\temp\2011529111155.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1628 -ip 1628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1628 -ip 1628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 748
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4240,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=3988 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | baike2011.3322.org | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | baike2011.3322.org | udp |
Files
C:\Windows\Temp\2011529111153.exe
| MD5 | 7d86edf22313fa5d5eb1c54be6f6a324 |
| SHA1 | 8eeb4548895910fbc7075dda25361ce959c95bdf |
| SHA256 | e45adc891873e7f3de969313430c494ed6d1e07086208bf5a01094ffe9046c4f |
| SHA512 | 64f88917cf394de7ee603f7acf00e9d6b0cafb7083a46669ad106a776a60443898a906a5a05c917a31fc24780f94149d2628a541a645ac8d4f094c67055de69c |
C:\Windows\Temp\2011529111155.exe
| MD5 | 88c3255b87af2fbc78529daac66d02c1 |
| SHA1 | 8215823855a427ba69a4ca8edab8f340e8a9bfde |
| SHA256 | dd87e30afab371f9be168cbdb0bed2496b12e4631c388bddfe57a232071df227 |
| SHA512 | b0740b2e401aa629099a6a0b099ba9ea6cf9c59bc2f96e493adbca8db0d541ab987df70eff4257afebe33edb5d3be2362bf28fc4809da27499a092de7cc158c5 |
C:\Windows\Temp\SkinH_EL.dll
| MD5 | 147127382e001f495d1842ee7a9e7912 |
| SHA1 | 92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b |
| SHA256 | edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc |
| SHA512 | 97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d |
memory/1628-34-0x0000000010009000-0x000000001000A000-memory.dmp
memory/1628-33-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1628-35-0x0000000010000000-0x000000001003D000-memory.dmp
memory/1628-36-0x0000000010000000-0x000000001003D000-memory.dmp