Malware Analysis Report

2025-01-03 09:11

Sample ID 240620-mfsp2asdqa
Target 0520493b73d97579508f92272cef79a4_JaffaCakes118
SHA256 db4fd8a01b90198e432c05cca2e0f0191da63932473f7df64cd2cf2485c6938d
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

db4fd8a01b90198e432c05cca2e0f0191da63932473f7df64cd2cf2485c6938d

Threat Level: Shows suspicious behavior

The file 0520493b73d97579508f92272cef79a4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 10:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 10:24

Reported

2024-06-20 10:27

Platform

win7-20240611-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\shellexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2760 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe C:\Windows\SysWOW64\shellexec.exe
PID 2760 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe C:\Windows\SysWOW64\shellexec.exe
PID 2760 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe C:\Windows\SysWOW64\shellexec.exe
PID 2760 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe C:\Windows\SysWOW64\shellexec.exe
PID 2748 wrote to memory of 2520 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 2748 wrote to memory of 2520 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 2748 wrote to memory of 2520 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 2748 wrote to memory of 2520 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 2520 wrote to memory of 1800 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 2520 wrote to memory of 1800 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 2520 wrote to memory of 1800 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 2520 wrote to memory of 1800 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1800 wrote to memory of 2408 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1800 wrote to memory of 2408 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1800 wrote to memory of 2408 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1800 wrote to memory of 2408 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 2408 wrote to memory of 1796 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 2408 wrote to memory of 1796 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 2408 wrote to memory of 1796 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 2408 wrote to memory of 1796 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1796 wrote to memory of 1512 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1796 wrote to memory of 1512 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1796 wrote to memory of 1512 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1796 wrote to memory of 1512 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1512 wrote to memory of 2296 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1512 wrote to memory of 2296 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1512 wrote to memory of 2296 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1512 wrote to memory of 2296 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 2296 wrote to memory of 796 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 2296 wrote to memory of 796 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 2296 wrote to memory of 796 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 2296 wrote to memory of 796 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 796 wrote to memory of 828 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 796 wrote to memory of 828 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 796 wrote to memory of 828 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 796 wrote to memory of 828 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 828 wrote to memory of 1028 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 828 wrote to memory of 1028 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 828 wrote to memory of 1028 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 828 wrote to memory of 1028 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 552 "C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 540 "C:\Windows\SysWOW64\shellexec.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 544 "C:\Windows\SysWOW64\shellexec.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 556 "C:\Windows\SysWOW64\shellexec.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 548 "C:\Windows\SysWOW64\shellexec.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 560 "C:\Windows\SysWOW64\shellexec.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 564 "C:\Windows\SysWOW64\shellexec.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 568 "C:\Windows\SysWOW64\shellexec.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 576 "C:\Windows\SysWOW64\shellexec.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 584 "C:\Windows\SysWOW64\shellexec.exe"

Network

N/A

Files

memory/2760-0-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/2760-1-0x0000000000380000-0x00000000003C2000-memory.dmp

memory/2760-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2760-7-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2760-6-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2760-5-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2760-4-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2760-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2760-2-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2760-13-0x00000000004E0000-0x00000000004E7000-memory.dmp

memory/2760-12-0x00000000004F0000-0x00000000004F5000-memory.dmp

memory/2760-11-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/2760-10-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2760-9-0x0000000000330000-0x0000000000331000-memory.dmp

memory/2760-14-0x00000000007D0000-0x00000000007D1000-memory.dmp

memory/2760-29-0x0000000000520000-0x0000000000521000-memory.dmp

memory/2760-28-0x0000000000530000-0x0000000000531000-memory.dmp

memory/2760-27-0x0000000001F00000-0x0000000001F01000-memory.dmp

memory/2760-26-0x0000000001F10000-0x0000000001F11000-memory.dmp

memory/2760-25-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

memory/2760-24-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

memory/2760-23-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

memory/2760-22-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

memory/2760-21-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

memory/2760-20-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

memory/2760-19-0x0000000000510000-0x0000000000511000-memory.dmp

memory/2760-18-0x00000000004D0000-0x00000000004D1000-memory.dmp

memory/2760-17-0x00000000004C0000-0x00000000004C1000-memory.dmp

memory/2760-16-0x0000000000500000-0x0000000000501000-memory.dmp

memory/2760-15-0x0000000001E80000-0x0000000001E81000-memory.dmp

\Windows\SysWOW64\shellexec.exe

MD5 0520493b73d97579508f92272cef79a4
SHA1 fca131b114bbaf209cc0c1251c354a6611147cf9
SHA256 db4fd8a01b90198e432c05cca2e0f0191da63932473f7df64cd2cf2485c6938d
SHA512 3d0b11aebacecdd0fafbd5adf76957a62e27289d251c1cb782644e6f05111f5a94e8e0815385c556a2e543e4db0e153b2881f364eaba96f8325d99fc852ecab7

memory/2760-34-0x00000000029A0000-0x0000000002A4C000-memory.dmp

memory/2760-41-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/2748-42-0x0000000000290000-0x00000000002D2000-memory.dmp

memory/2760-45-0x0000000000380000-0x00000000003C2000-memory.dmp

memory/2748-48-0x0000000001F60000-0x0000000001F61000-memory.dmp

memory/2748-47-0x0000000001F50000-0x0000000001F51000-memory.dmp

memory/2748-46-0x00000000005A0000-0x00000000005A7000-memory.dmp

memory/2748-53-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

memory/2748-52-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

memory/2748-51-0x0000000001F80000-0x0000000001F81000-memory.dmp

memory/2748-50-0x0000000001F20000-0x0000000001F21000-memory.dmp

memory/2748-56-0x0000000001F30000-0x0000000001F31000-memory.dmp

memory/2748-55-0x0000000001F40000-0x0000000001F41000-memory.dmp

memory/2748-54-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

memory/2748-49-0x0000000001F10000-0x0000000001F11000-memory.dmp

memory/2748-57-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/2748-60-0x0000000002A50000-0x0000000002AFC000-memory.dmp

memory/2520-64-0x0000000000500000-0x0000000000542000-memory.dmp

memory/2520-63-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/2748-62-0x0000000000290000-0x00000000002D2000-memory.dmp

memory/2520-73-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/2520-72-0x0000000000630000-0x0000000000631000-memory.dmp

memory/2520-71-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

memory/2520-70-0x0000000001F80000-0x0000000001F81000-memory.dmp

memory/2520-69-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/2520-68-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/2520-67-0x0000000001F60000-0x0000000001F61000-memory.dmp

memory/2520-66-0x0000000000640000-0x0000000000641000-memory.dmp

memory/2520-65-0x00000000005A0000-0x00000000005A7000-memory.dmp

memory/2520-75-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/2520-78-0x0000000000500000-0x0000000000542000-memory.dmp

memory/2520-79-0x00000000027E0000-0x000000000288C000-memory.dmp

memory/1800-82-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/1800-86-0x00000000027B0000-0x000000000285C000-memory.dmp

memory/2408-88-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/1796-92-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/1796-94-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/1512-99-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/2296-104-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/796-108-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/796-110-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/828-115-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/1028-120-0x0000000000400000-0x00000000004AC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 10:24

Reported

2024-06-20 10:27

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\shellexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4372 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe C:\Windows\SysWOW64\shellexec.exe
PID 4372 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe C:\Windows\SysWOW64\shellexec.exe
PID 4372 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe C:\Windows\SysWOW64\shellexec.exe
PID 1496 wrote to memory of 1592 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1496 wrote to memory of 1592 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1496 wrote to memory of 1592 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1592 wrote to memory of 4552 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1592 wrote to memory of 4552 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1592 wrote to memory of 4552 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 4552 wrote to memory of 4572 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 4552 wrote to memory of 4572 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 4552 wrote to memory of 4572 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 4572 wrote to memory of 3348 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 4572 wrote to memory of 3348 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 4572 wrote to memory of 3348 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 3348 wrote to memory of 1508 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 3348 wrote to memory of 1508 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 3348 wrote to memory of 1508 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1508 wrote to memory of 3020 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1508 wrote to memory of 3020 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 1508 wrote to memory of 3020 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 3020 wrote to memory of 4004 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 3020 wrote to memory of 4004 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 3020 wrote to memory of 4004 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 4004 wrote to memory of 4300 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 4004 wrote to memory of 4300 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 4004 wrote to memory of 4300 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 4300 wrote to memory of 1076 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 4300 wrote to memory of 1076 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe
PID 4300 wrote to memory of 1076 N/A C:\Windows\SysWOW64\shellexec.exe C:\Windows\SysWOW64\shellexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 1076 "C:\Users\Admin\AppData\Local\Temp\0520493b73d97579508f92272cef79a4_JaffaCakes118.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 1196 "C:\Windows\SysWOW64\shellexec.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 1132 "C:\Windows\SysWOW64\shellexec.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 1164 "C:\Windows\SysWOW64\shellexec.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 1172 "C:\Windows\SysWOW64\shellexec.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 1168 "C:\Windows\SysWOW64\shellexec.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 1156 "C:\Windows\SysWOW64\shellexec.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 1184 "C:\Windows\SysWOW64\shellexec.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 1180 "C:\Windows\SysWOW64\shellexec.exe"

C:\Windows\SysWOW64\shellexec.exe

C:\Windows\system32\shellexec.exe 1192 "C:\Windows\SysWOW64\shellexec.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp

Files

memory/4372-0-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/4372-1-0x0000000000840000-0x0000000000882000-memory.dmp

memory/4372-2-0x00000000022C0000-0x00000000022C1000-memory.dmp

memory/4372-12-0x0000000002320000-0x0000000002325000-memory.dmp

memory/4372-11-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/4372-10-0x0000000002260000-0x0000000002261000-memory.dmp

memory/4372-9-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/4372-8-0x0000000000630000-0x0000000000631000-memory.dmp

memory/4372-7-0x0000000002270000-0x0000000002271000-memory.dmp

memory/4372-6-0x0000000002280000-0x0000000002281000-memory.dmp

memory/4372-5-0x0000000002290000-0x0000000002291000-memory.dmp

memory/4372-4-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/4372-3-0x0000000000500000-0x0000000000501000-memory.dmp

memory/4372-16-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/4372-29-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4372-28-0x0000000002410000-0x0000000002411000-memory.dmp

memory/4372-27-0x0000000002370000-0x0000000002371000-memory.dmp

memory/4372-26-0x0000000002350000-0x0000000002351000-memory.dmp

memory/4372-25-0x0000000002400000-0x0000000002401000-memory.dmp

memory/4372-24-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/4372-23-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/4372-22-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/4372-21-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/4372-20-0x0000000002390000-0x0000000002391000-memory.dmp

memory/4372-19-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/4372-18-0x0000000002340000-0x0000000002341000-memory.dmp

memory/4372-17-0x0000000002300000-0x0000000002301000-memory.dmp

memory/4372-15-0x0000000002330000-0x0000000002331000-memory.dmp

memory/4372-14-0x0000000002380000-0x0000000002381000-memory.dmp

memory/4372-13-0x0000000002310000-0x0000000002317000-memory.dmp

C:\Windows\SysWOW64\shellexec.exe

MD5 0520493b73d97579508f92272cef79a4
SHA1 fca131b114bbaf209cc0c1251c354a6611147cf9
SHA256 db4fd8a01b90198e432c05cca2e0f0191da63932473f7df64cd2cf2485c6938d
SHA512 3d0b11aebacecdd0fafbd5adf76957a62e27289d251c1cb782644e6f05111f5a94e8e0815385c556a2e543e4db0e153b2881f364eaba96f8325d99fc852ecab7

memory/1496-36-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/1496-37-0x0000000000850000-0x0000000000892000-memory.dmp

memory/4372-38-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/1496-49-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/1496-48-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/1496-47-0x0000000002450000-0x0000000002451000-memory.dmp

memory/1496-46-0x0000000002430000-0x0000000002431000-memory.dmp

memory/1496-45-0x0000000002410000-0x0000000002411000-memory.dmp

memory/1496-44-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/1496-43-0x0000000002390000-0x0000000002391000-memory.dmp

memory/1496-42-0x0000000002380000-0x0000000002381000-memory.dmp

memory/1496-41-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/1496-40-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/1496-39-0x0000000002360000-0x0000000002367000-memory.dmp

memory/4372-51-0x0000000000840000-0x0000000000882000-memory.dmp

memory/1496-52-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/1496-54-0x0000000000850000-0x0000000000892000-memory.dmp

memory/1592-56-0x0000000000850000-0x0000000000892000-memory.dmp

memory/1592-55-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/1592-64-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/1592-63-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/1592-62-0x0000000002420000-0x0000000002421000-memory.dmp

memory/1592-61-0x0000000002400000-0x0000000002401000-memory.dmp

memory/1592-60-0x0000000002390000-0x0000000002391000-memory.dmp

memory/1592-59-0x0000000002380000-0x0000000002381000-memory.dmp

memory/1592-58-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/1592-57-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/1592-66-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/4552-68-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/1592-70-0x0000000000850000-0x0000000000892000-memory.dmp

memory/4552-71-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/4572-73-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/4572-75-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/3348-78-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/1508-80-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/1508-82-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/3020-85-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/4004-87-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/4004-89-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/4300-92-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/1076-94-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/1076-96-0x0000000000400000-0x00000000004AC000-memory.dmp