Malware Analysis Report

2024-09-23 04:23

Sample ID 240620-jb8znszhpl
Target 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118
SHA256 1598031e1fa133953d15523f253a5183076f81446f9ecf6d81b68b62e010b198
Tags
metasploit backdoor evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1598031e1fa133953d15523f253a5183076f81446f9ecf6d81b68b62e010b198

Threat Level: Known bad

The file 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion trojan

MetaSploit

Modifies security service

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Runs .reg file with regedit

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 07:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 07:30

Reported

2024-06-20 07:33

Platform

win7-20240220-en

Max time kernel

148s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2248 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2248 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2248 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2768 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe C:\Windows\SysWOW64\windeft.exe
PID 2768 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe C:\Windows\SysWOW64\windeft.exe
PID 2768 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe C:\Windows\SysWOW64\windeft.exe
PID 2768 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe C:\Windows\SysWOW64\windeft.exe
PID 2676 wrote to memory of 1604 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1604 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1604 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1604 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1604 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1604 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1604 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2676 wrote to memory of 3032 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 2676 wrote to memory of 3032 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 2676 wrote to memory of 3032 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 2676 wrote to memory of 3032 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 3032 wrote to memory of 1680 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 1680 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 1680 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 1680 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1680 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1680 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1680 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3032 wrote to memory of 2620 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 3032 wrote to memory of 2620 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 3032 wrote to memory of 2620 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 3032 wrote to memory of 2620 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 2620 wrote to memory of 2704 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2704 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2704 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2704 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2704 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2704 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2704 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2620 wrote to memory of 2736 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 2620 wrote to memory of 2736 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 2620 wrote to memory of 2736 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 2620 wrote to memory of 2736 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 2736 wrote to memory of 1956 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1956 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1956 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1956 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1956 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1956 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1956 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2736 wrote to memory of 2976 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 2736 wrote to memory of 2976 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 2736 wrote to memory of 2976 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 2736 wrote to memory of 2976 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 2976 wrote to memory of 2816 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2816 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2816 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2816 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 460 "C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 536 "C:\Windows\SysWOW64\windeft.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 540 "C:\Windows\SysWOW64\windeft.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 544 "C:\Windows\SysWOW64\windeft.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 548 "C:\Windows\SysWOW64\windeft.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 552 "C:\Windows\SysWOW64\windeft.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 556 "C:\Windows\SysWOW64\windeft.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 560 "C:\Windows\SysWOW64\windeft.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 564 "C:\Windows\SysWOW64\windeft.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 568 "C:\Windows\SysWOW64\windeft.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

N/A

Files

memory/2768-1-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2768-0-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2768-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

C:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5020988c301a6bf0c54a293ddf64837c
SHA1 5b65e689a2988b9a739d53565b2a847f20d70f09
SHA256 a123ebc1fac86713cdd7c4a511e022783a581ea02ba65ea18360555706ae5f2d
SHA512 921a07597f8c82c65c675f5b09a2552c7e2e8c65c8df59eebbe9aff0bfe439ad93f5efc97ba521be31299323051d61ead6a3f0be27302dc0f728b7a844fb2fcf

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

\Windows\SysWOW64\windeft.exe

MD5 040b4afe44ae7bb9ebe08445c2bed93a
SHA1 9e4ed8f203c42ee51432b61c45b8d53eb939c2b0
SHA256 1598031e1fa133953d15523f253a5183076f81446f9ecf6d81b68b62e010b198
SHA512 a319c52ed39875b0337217954d9fc34c9d4aca705d8875e8cfc11020bc21114eda589b20c399c5dd92544bccf7b4ab42919b67673b6f7e3e1d8fb2b285f77205

memory/2676-129-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2676-240-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2676-239-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2768-163-0x0000000002880000-0x00000000029BE000-memory.dmp

memory/2768-131-0x0000000002880000-0x00000000029BE000-memory.dmp

memory/2768-244-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2676-245-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/3032-260-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2676-249-0x0000000002940000-0x0000000002A7E000-memory.dmp

memory/3032-251-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2676-250-0x0000000002940000-0x0000000002A7E000-memory.dmp

memory/3032-370-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2620-375-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2620-384-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/3032-374-0x0000000002870000-0x00000000029AE000-memory.dmp

memory/2620-494-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2736-498-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2736-509-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2620-508-0x00000000028B0000-0x00000000029EE000-memory.dmp

memory/2620-507-0x00000000028B0000-0x00000000029EE000-memory.dmp

memory/2736-619-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2736-624-0x00000000028B0000-0x00000000029EE000-memory.dmp

memory/2976-633-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2976-625-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2736-623-0x00000000028B0000-0x00000000029EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a5d4cddfecf34e5391a7a3df62312327
SHA1 04a3c708bab0c15b6746cf9dbf41a71c917a98b9
SHA256 8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a
SHA512 48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643

memory/2976-744-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/1184-759-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2976-748-0x0000000002990000-0x0000000002ACE000-memory.dmp

memory/2976-749-0x0000000002990000-0x0000000002ACE000-memory.dmp

memory/1184-750-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/1184-869-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/1184-883-0x0000000002820000-0x000000000295E000-memory.dmp

memory/1184-881-0x0000000002820000-0x000000000295E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c1e5f93e2bee9ca33872764d8889de23
SHA1 167f65adfc34a0e47cb7de92cc5958ee8905796a
SHA256 8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a
SHA512 482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859

memory/956-884-0x0000000000400000-0x000000000053DAFB-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 e6d8af5aed642209c88269bf56af50ae
SHA1 633d40da997074dc0ed10938ebc49a3aeb3a7fc8
SHA256 550abc09abce5b065d360dfea741ab7dd8abbe2ea11cd46b093632860775baec
SHA512 6949fc255c1abf009ecbe0591fb6dbfd96409ee98ae438dbac8945684ccf694c046d5b51d2bf7679c1e02f42e8f32e8e29a9b7bdbc84442bec0497b64dfa84cf

memory/956-994-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2548-1009-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2548-999-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/956-998-0x0000000002940000-0x0000000002A7E000-memory.dmp

memory/956-1001-0x0000000002940000-0x0000000002A7E000-memory.dmp

memory/2548-1119-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2548-1125-0x0000000002890000-0x00000000029CE000-memory.dmp

memory/2548-1133-0x0000000002890000-0x00000000029CE000-memory.dmp

memory/2028-1123-0x0000000000400000-0x000000000053DAFB-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a57e37dfb6f88b2d04424936ed0b4afb
SHA1 35e2f81486b8420b88b7693ad3e92f846367cb12
SHA256 411f47af20b97f1fe35d3ff6f2a03a77301c8bee20cdfd4638a68430af77456d
SHA512 41f683cc837a2ac36eaf8c32ac336534d329eb482c1a7bd23728b3878492ce79488647df4746701c15254e552e3460f8efa8cec9448a252146596c7926dff448

memory/2028-1134-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2028-1244-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/776-1259-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2028-1248-0x0000000002920000-0x0000000002A5E000-memory.dmp

memory/2028-1257-0x0000000002920000-0x0000000002A5E000-memory.dmp

memory/776-1249-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/776-1369-0x0000000000400000-0x000000000053DAFB-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 07:30

Reported

2024-06-20 07:33

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File created C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A
File opened for modification C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4876 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe C:\Windows\SysWOW64\windeft.exe
PID 4876 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe C:\Windows\SysWOW64\windeft.exe
PID 4876 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe C:\Windows\SysWOW64\windeft.exe
PID 3396 wrote to memory of 2700 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 2700 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 2700 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 3964 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3964 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3964 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3396 wrote to memory of 1412 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 3396 wrote to memory of 1412 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 3396 wrote to memory of 1412 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 1412 wrote to memory of 2632 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 2632 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 2632 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2632 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2632 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1412 wrote to memory of 1636 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 1412 wrote to memory of 1636 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 1412 wrote to memory of 1636 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 1636 wrote to memory of 4440 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 4440 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 4440 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4440 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4440 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1636 wrote to memory of 2916 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 1636 wrote to memory of 2916 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 1636 wrote to memory of 2916 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 2916 wrote to memory of 4320 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 4320 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 4320 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4320 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4320 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2916 wrote to memory of 1264 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 2916 wrote to memory of 1264 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 2916 wrote to memory of 1264 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 1264 wrote to memory of 4128 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 4128 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 4128 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 4128 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4128 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4128 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1264 wrote to memory of 2352 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 1264 wrote to memory of 2352 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 1264 wrote to memory of 2352 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 2352 wrote to memory of 1508 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 1508 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 1508 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1508 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1508 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2352 wrote to memory of 1100 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 2352 wrote to memory of 1100 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 2352 wrote to memory of 1100 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\windeft.exe
PID 1100 wrote to memory of 2984 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 2984 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 2984 N/A C:\Windows\SysWOW64\windeft.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 5068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 1048 "C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 1172 "C:\Windows\SysWOW64\windeft.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 1140 "C:\Windows\SysWOW64\windeft.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 1148 "C:\Windows\SysWOW64\windeft.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 1144 "C:\Windows\SysWOW64\windeft.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 1152 "C:\Windows\SysWOW64\windeft.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 1156 "C:\Windows\SysWOW64\windeft.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 1164 "C:\Windows\SysWOW64\windeft.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 1168 "C:\Windows\SysWOW64\windeft.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\windeft.exe

C:\Windows\system32\windeft.exe 1160 "C:\Windows\SysWOW64\windeft.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4876-0-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/4876-1-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/4876-2-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/4876-5-0x00000000006B0000-0x00000000006B1000-memory.dmp

C:\Windows\SysWOW64\windeft.exe

MD5 040b4afe44ae7bb9ebe08445c2bed93a
SHA1 9e4ed8f203c42ee51432b61c45b8d53eb939c2b0
SHA256 1598031e1fa133953d15523f253a5183076f81446f9ecf6d81b68b62e010b198
SHA512 a319c52ed39875b0337217954d9fc34c9d4aca705d8875e8cfc11020bc21114eda589b20c399c5dd92544bccf7b4ab42919b67673b6f7e3e1d8fb2b285f77205

memory/3396-13-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/3396-32-0x0000000000670000-0x0000000000671000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

memory/3396-31-0x0000000000400000-0x000000000053DAFB-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 872656500ddac1ddd91d10aba3a8df96
SHA1 ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc
SHA256 d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8
SHA512 e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5e073629d751540b3512a229a7c56baf
SHA1 8d384f06bf3fe00d178514990ae39fc54d4e3941
SHA256 2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e
SHA512 84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

\??\c:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

memory/3396-12-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/4876-127-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/3396-129-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/1412-131-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/1412-132-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/1412-133-0x0000000000400000-0x000000000053DAFB-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 2b307765b7465ef5e4935f0ed7307c01
SHA1 c46a1947f8b2785114891f7905f663d9ae517f1b
SHA256 a3f77536a922968bc49827a6c8553ed6b74eafd52e6c1fcfd62bfa20a83efc85
SHA512 fce4fbf9900f50368cb35ac40e60b54835912921848a45b196c6f68ad66a07549f27237956c751f511d2589cf91980658d4f1b743dd2c9c9506102da3be4bae2

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5da7efcc8d0fcdf2bad7890c3f8a27ca
SHA1 681788d5a3044eee8426d431bd786375cd32bf13
SHA256 7f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8
SHA512 6e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b

memory/1412-245-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/1636-247-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/1636-249-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/1636-248-0x0000000000400000-0x000000000053DAFB-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9fa547ff360b09f7e093593af0b5a13b
SHA1 9debc99bb7450f59a7b09f16c0393e5c7a955ba4
SHA256 7ff65c0be2004867f536ce9b94783da4b5e4bc06cca5bd899933c8b68a44c705
SHA512 30e5aa130c6b0869dc3fbb79da54d42699be6de0af65c9127ea047548a22d98b68300f18432141207166687576ba86433d4ae9d3458dbcc2aec9f14198c58193

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5002319f56002f8d7ceacecf8672ce25
SHA1 3b26b6801be4768cc7582e29bc93facdf2a74be3
SHA256 f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c
SHA512 8eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef

memory/1636-361-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2916-363-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2916-365-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2916-364-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2916-477-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/1264-479-0x0000000000400000-0x000000000053DAFB-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5a466127fedf6dbcd99adc917bd74581
SHA1 a2e60b101c8789b59360d95a64ec07d0723c4d38
SHA256 8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84
SHA512 695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 908860a865f8ed2e14085e35256578dd
SHA1 7ff5ee35cc7e96a661848eb95a70d0b8d2d78603
SHA256 d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f
SHA512 a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 748bce4dacebbbd388af154a1df22078
SHA1 0eeeb108678f819cd437d53b927feedf36aabc64
SHA256 1585c9ef77c37c064003bd746cd0a8da2523c99a10c3fb6eabd546e2a343646a
SHA512 d9756851b4aa1108416b7a77f0c6b84b599d695850d704a094a1f83b322d892ab6706001d5322e876b93935b830bcb52a951b4c69004ea2be338f64b85be2ea1

memory/1264-593-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2352-595-0x0000000000400000-0x000000000053DAFB-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c1e5f93e2bee9ca33872764d8889de23
SHA1 167f65adfc34a0e47cb7de92cc5958ee8905796a
SHA256 8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a
SHA512 482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859

memory/2352-709-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/1100-711-0x0000000000400000-0x000000000053DAFB-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 558ce6da965ba1758d112b22e15aa5a2
SHA1 a365542609e4d1dc46be62928b08612fcabe2ede
SHA256 c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb
SHA512 37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a57e37dfb6f88b2d04424936ed0b4afb
SHA1 35e2f81486b8420b88b7693ad3e92f846367cb12
SHA256 411f47af20b97f1fe35d3ff6f2a03a77301c8bee20cdfd4638a68430af77456d
SHA512 41f683cc837a2ac36eaf8c32ac336534d329eb482c1a7bd23728b3878492ce79488647df4746701c15254e552e3460f8efa8cec9448a252146596c7926dff448

memory/1100-825-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2896-827-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2896-829-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/2896-828-0x0000000000400000-0x000000000053DAFB-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c8441ec8a2edf9b2f4f631fe930ea4d9
SHA1 2855ee21116b427d280fcaa2471c9bd3d2957f6f
SHA256 dd2fa55643d4e02b39ef5a619f2ca63e49d6cc1e6513d953c2d9400d46b88184
SHA512 b0b03828275f895adf93ef6b9d40d31e10f166d40c1ee0f5697aadcee1b6d5e8b81637ccfcf66ba9dfd92295f106cfac0eca2320b71a15ad96fdbe06f6764ef7

memory/2896-941-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/1072-946-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/1072-943-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/1072-944-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/1072-1057-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/3792-1060-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/3792-1061-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/3792-1059-0x0000000000400000-0x000000000053DAFB-memory.dmp

memory/3792-1173-0x0000000000400000-0x000000000053DAFB-memory.dmp