Malware Analysis Report

2024-09-23 04:21

Sample ID 240620-lycwvs1emh
Target 04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118
SHA256 277b05671cde04ed4f0e360ab8d86e8ea099437ce8f7445c82718f77ea216fea
Tags
metasploit backdoor evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

277b05671cde04ed4f0e360ab8d86e8ea099437ce8f7445c82718f77ea216fea

Threat Level: Known bad

The file 04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion persistence trojan upx

MetaSploit

Modifies firewall policy service

Loads dropped DLL

Executes dropped EXE

Deletes itself

Checks computer location settings

UPX packed file

Maps connected drives based on registry

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of UnmapMainImage

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 09:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 09:56

Reported

2024-06-20 09:58

Platform

win7-20240508-en

Max time kernel

148s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

MetaSploit

trojan backdoor metasploit

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\igfxcm86.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxcm86.exe = "C:\\Windows\\SysWOW64\\igfxcm86.exe:*:Enabled:Intel Service Control" C:\Windows\SysWOW64\igfxcm86.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List C:\Windows\SysWOW64\igfxcm86.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxcm86.exe = "C:\\Windows\\SysWOW64\\igfxcm86.exe:*:Enabled:Intel Service Control" C:\Windows\SysWOW64\igfxcm86.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\igfxcm86.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\igfxcm86.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxcm86.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Service Control = "C:\\Windows\\SysWOW64\\igfxcm86.exe" C:\Windows\SysWOW64\igfxcm86.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxcm86.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxcm86.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\igfxcm86.exe C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxcm86.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxcm86.exe C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe
PID 2176 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe
PID 2176 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe
PID 2176 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe
PID 2176 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe
PID 2176 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe
PID 2176 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe
PID 1308 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 1308 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 1308 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 1308 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 2696 wrote to memory of 2868 N/A C:\Windows\SysWOW64\igfxcm86.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 2696 wrote to memory of 2868 N/A C:\Windows\SysWOW64\igfxcm86.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 2696 wrote to memory of 2868 N/A C:\Windows\SysWOW64\igfxcm86.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 2696 wrote to memory of 2868 N/A C:\Windows\SysWOW64\igfxcm86.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 2696 wrote to memory of 2868 N/A C:\Windows\SysWOW64\igfxcm86.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 2696 wrote to memory of 2868 N/A C:\Windows\SysWOW64\igfxcm86.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 2696 wrote to memory of 2868 N/A C:\Windows\SysWOW64\igfxcm86.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 2868 wrote to memory of 1208 N/A C:\Windows\SysWOW64\igfxcm86.exe C:\Windows\Explorer.EXE
PID 2868 wrote to memory of 1208 N/A C:\Windows\SysWOW64\igfxcm86.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe"

C:\Windows\SysWOW64\igfxcm86.exe

"C:\Windows\SysWOW64\igfxcm86.exe" C:\Users\Admin\AppData\Local\Temp\04EF93~1.EXE

C:\Windows\SysWOW64\igfxcm86.exe

"C:\Windows\SysWOW64\igfxcm86.exe" C:\Users\Admin\AppData\Local\Temp\04EF93~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 j16.fast-quantum-servers.su udp
KR 143.248.35.28:80 tcp
KR 143.248.35.28:80 tcp

Files

memory/1308-0-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1308-2-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1308-9-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1308-8-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1308-7-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1308-6-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1308-4-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1308-3-0x0000000000400000-0x000000000044E000-memory.dmp

\Windows\SysWOW64\igfxcm86.exe

MD5 04ef9325b31c0f6f9a16c682a15ae692
SHA1 19d77b13daf4b594b3f2d7f446f67c47dcbc085f
SHA256 277b05671cde04ed4f0e360ab8d86e8ea099437ce8f7445c82718f77ea216fea
SHA512 7312218be587f7ccd9a459b16095d8053839c0c509d35f0aec42a2290e51c1cb4639118586d0153038d4653cc75396ba47e480c762455b2386b00bedd732a13a

memory/2868-32-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1308-35-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2868-36-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1208-39-0x0000000002580000-0x0000000002581000-memory.dmp

memory/1208-37-0x0000000002560000-0x000000000257E000-memory.dmp

memory/2868-40-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2868-41-0x0000000000400000-0x000000000044E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 09:56

Reported

2024-06-20 09:58

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

50s

Command Line

C:\Windows\Explorer.EXE

Signatures

MetaSploit

trojan backdoor metasploit

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile C:\Windows\SysWOW64\igfxcm86.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications C:\Windows\SysWOW64\igfxcm86.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxcm86.exe = "C:\\Windows\\SysWOW64\\igfxcm86.exe:*:Enabled:Intel Service Control" C:\Windows\SysWOW64\igfxcm86.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\igfxcm86.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\igfxcm86.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\igfxcm86.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxcm86.exe = "C:\\Windows\\SysWOW64\\igfxcm86.exe:*:Enabled:Intel Service Control" C:\Windows\SysWOW64\igfxcm86.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List C:\Windows\SysWOW64\igfxcm86.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\igfxcm86.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\igfxcm86.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxcm86.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Service Control = "C:\\Windows\\SysWOW64\\igfxcm86.exe" C:\Windows\SysWOW64\igfxcm86.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxcm86.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxcm86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxcm86.exe C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\igfxcm86.exe C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxcm86.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\igfxcm86.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3964 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe
PID 3964 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe
PID 3964 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe
PID 3964 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe
PID 3964 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe
PID 3964 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe
PID 3964 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe
PID 4308 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 4308 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 4308 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 2368 wrote to memory of 1860 N/A C:\Windows\SysWOW64\igfxcm86.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 2368 wrote to memory of 1860 N/A C:\Windows\SysWOW64\igfxcm86.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 2368 wrote to memory of 1860 N/A C:\Windows\SysWOW64\igfxcm86.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 2368 wrote to memory of 1860 N/A C:\Windows\SysWOW64\igfxcm86.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 2368 wrote to memory of 1860 N/A C:\Windows\SysWOW64\igfxcm86.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 2368 wrote to memory of 1860 N/A C:\Windows\SysWOW64\igfxcm86.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 2368 wrote to memory of 1860 N/A C:\Windows\SysWOW64\igfxcm86.exe C:\Windows\SysWOW64\igfxcm86.exe
PID 1860 wrote to memory of 3480 N/A C:\Windows\SysWOW64\igfxcm86.exe C:\Windows\Explorer.EXE
PID 1860 wrote to memory of 3480 N/A C:\Windows\SysWOW64\igfxcm86.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04ef9325b31c0f6f9a16c682a15ae692_JaffaCakes118.exe"

C:\Windows\SysWOW64\igfxcm86.exe

"C:\Windows\SysWOW64\igfxcm86.exe" C:\Users\Admin\AppData\Local\Temp\04EF93~1.EXE

C:\Windows\SysWOW64\igfxcm86.exe

"C:\Windows\SysWOW64\igfxcm86.exe" C:\Users\Admin\AppData\Local\Temp\04EF93~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 j94.fast-quantum-servers.su udp
KR 143.248.35.28:80 tcp

Files

memory/4308-0-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4308-5-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4308-4-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4308-3-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Windows\SysWOW64\igfxcm86.exe

MD5 04ef9325b31c0f6f9a16c682a15ae692
SHA1 19d77b13daf4b594b3f2d7f446f67c47dcbc085f
SHA256 277b05671cde04ed4f0e360ab8d86e8ea099437ce8f7445c82718f77ea216fea
SHA512 7312218be587f7ccd9a459b16095d8053839c0c509d35f0aec42a2290e51c1cb4639118586d0153038d4653cc75396ba47e480c762455b2386b00bedd732a13a

memory/1860-44-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4308-45-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1860-47-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1860-48-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1860-49-0x0000000000400000-0x0000000000433000-memory.dmp