Malware Analysis Report

2025-01-03 09:22

Sample ID 240620-n3ktdawcpe
Target 05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118
SHA256 33cfba988c9cbbcb1f65079b2ff79c335b5167e85a512c4ffc7e0b1693710b70
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

33cfba988c9cbbcb1f65079b2ff79c335b5167e85a512c4ffc7e0b1693710b70

Threat Level: Shows suspicious behavior

The file 05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 11:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 11:55

Reported

2024-06-20 11:57

Platform

win7-20240508-en

Max time kernel

145s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\logon.exe N/A
N/A N/A C:\Windows\SysWOW64\spoolsvc.exe N/A
N/A N/A C:\Windows\SysWOW64\Isass.exe N/A
N/A N/A C:\Windows\SysWOW64\winamp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows DLL Loader = "C:\\Windows\\system32\\winamp.exe" C:\Windows\SysWOW64\winamp.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\logon.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\spoolsvc.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\Isass.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\winamp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Isass.exe C:\Windows\SysWOW64\spoolsvc.exe N/A
File opened for modification C:\Windows\SysWOW64\Isass.exe C:\Windows\SysWOW64\spoolsvc.exe N/A
File created C:\Windows\SysWOW64\winamp.exe C:\Windows\SysWOW64\winamp.exe N/A
File created C:\Windows\SysWOW64\logon.exe C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\logon.exe C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\spoolsvc.exe C:\Windows\SysWOW64\logon.exe N/A
File opened for modification C:\Windows\SysWOW64\spoolsvc.exe C:\Windows\SysWOW64\logon.exe N/A
File created C:\Windows\SysWOW64\ugys.bat C:\Windows\SysWOW64\Isass.exe N/A
File created C:\Windows\SysWOW64\jerzo.bat C:\Windows\SysWOW64\logon.exe N/A
File created C:\Windows\SysWOW64\aiubnfe.bat C:\Windows\SysWOW64\spoolsvc.exe N/A
File created C:\Windows\SysWOW64\winamp.exe C:\Windows\SysWOW64\Isass.exe N/A
File opened for modification C:\Windows\SysWOW64\winamp.exe C:\Windows\SysWOW64\Isass.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe C:\Windows\SysWOW64\logon.exe
PID 2284 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe C:\Windows\SysWOW64\logon.exe
PID 2284 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe C:\Windows\SysWOW64\logon.exe
PID 2284 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe C:\Windows\SysWOW64\logon.exe
PID 2584 wrote to memory of 2500 N/A C:\Windows\SysWOW64\logon.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2500 N/A C:\Windows\SysWOW64\logon.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2500 N/A C:\Windows\SysWOW64\logon.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2500 N/A C:\Windows\SysWOW64\logon.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2368 N/A C:\Windows\SysWOW64\logon.exe C:\Windows\SysWOW64\spoolsvc.exe
PID 2584 wrote to memory of 2368 N/A C:\Windows\SysWOW64\logon.exe C:\Windows\SysWOW64\spoolsvc.exe
PID 2584 wrote to memory of 2368 N/A C:\Windows\SysWOW64\logon.exe C:\Windows\SysWOW64\spoolsvc.exe
PID 2584 wrote to memory of 2368 N/A C:\Windows\SysWOW64\logon.exe C:\Windows\SysWOW64\spoolsvc.exe
PID 2368 wrote to memory of 2684 N/A C:\Windows\SysWOW64\spoolsvc.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2684 N/A C:\Windows\SysWOW64\spoolsvc.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2684 N/A C:\Windows\SysWOW64\spoolsvc.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2684 N/A C:\Windows\SysWOW64\spoolsvc.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2240 N/A C:\Windows\SysWOW64\spoolsvc.exe C:\Windows\SysWOW64\Isass.exe
PID 2368 wrote to memory of 2240 N/A C:\Windows\SysWOW64\spoolsvc.exe C:\Windows\SysWOW64\Isass.exe
PID 2368 wrote to memory of 2240 N/A C:\Windows\SysWOW64\spoolsvc.exe C:\Windows\SysWOW64\Isass.exe
PID 2368 wrote to memory of 2240 N/A C:\Windows\SysWOW64\spoolsvc.exe C:\Windows\SysWOW64\Isass.exe
PID 2240 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Isass.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Isass.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Isass.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Isass.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1164 N/A C:\Windows\SysWOW64\Isass.exe C:\Windows\SysWOW64\winamp.exe
PID 2240 wrote to memory of 1164 N/A C:\Windows\SysWOW64\Isass.exe C:\Windows\SysWOW64\winamp.exe
PID 2240 wrote to memory of 1164 N/A C:\Windows\SysWOW64\Isass.exe C:\Windows\SysWOW64\winamp.exe
PID 2240 wrote to memory of 1164 N/A C:\Windows\SysWOW64\Isass.exe C:\Windows\SysWOW64\winamp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hcikybin.bat" "

C:\Windows\SysWOW64\logon.exe

C:\Windows\system32\logon.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\SysWOW64\jerzo.bat" "

C:\Windows\SysWOW64\spoolsvc.exe

C:\Windows\system32\spoolsvc.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\SysWOW64\aiubnfe.bat" "

C:\Windows\SysWOW64\Isass.exe

C:\Windows\system32\Isass.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\SysWOW64\ugys.bat" "

C:\Windows\SysWOW64\winamp.exe

C:\Windows\system32\winamp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 l.abelc.com udp
US 8.8.8.8:53 l.abelc.com udp

Files

memory/2284-0-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2284-1-0x0000000000440000-0x000000000047A000-memory.dmp

memory/2284-3-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2284-4-0x00000000004E0000-0x00000000004E1000-memory.dmp

memory/2284-5-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/2284-2-0x00000000004D0000-0x00000000004D1000-memory.dmp

memory/2284-6-0x0000000000510000-0x0000000000511000-memory.dmp

memory/2284-8-0x0000000001F00000-0x0000000001F01000-memory.dmp

memory/2284-7-0x0000000001F20000-0x0000000001F21000-memory.dmp

memory/2284-20-0x0000000001F30000-0x0000000001F31000-memory.dmp

memory/2284-19-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

memory/2284-18-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

memory/2284-17-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

memory/2284-16-0x0000000001F10000-0x0000000001F11000-memory.dmp

memory/2284-15-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

memory/2284-14-0x0000000001E90000-0x0000000001E91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hcikybin.bat

MD5 e50c7bafe1a4dc9c7d4cce9c00e3a442
SHA1 f14f36bf74bc8f44765ee356d59a5685ff939e4a
SHA256 2d5a9987cb7e8d96a59680fbf96142159792a18659898e6f8fc931bb8e1b680c
SHA512 c0609a0cbf098fd99bbb7368e447e6b42b77d69d694ac16f69a7305c08d63b65d32be70664cff3066284359dddc0ebb5fc6ac429907d8f5ea07e96177c6e9249

\Windows\SysWOW64\logon.exe

MD5 05c2b60ebbdb310855d7f5c3f6d3e9e4
SHA1 830bd8f65780f629f942c6730ca0e8abb53a22b3
SHA256 33cfba988c9cbbcb1f65079b2ff79c335b5167e85a512c4ffc7e0b1693710b70
SHA512 35d60d2473849f999d9c96621c2f0cc3d73a31e738352ac7c564c52ed2de59b6a1570a5b4720f25e02c50adb63a058cfdc269c1b62af6341831720513736c85a

memory/2284-30-0x0000000001F80000-0x0000000001F81000-memory.dmp

memory/2284-39-0x0000000000440000-0x000000000047A000-memory.dmp

memory/2284-37-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2584-40-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2584-43-0x0000000000340000-0x0000000000341000-memory.dmp

memory/2584-42-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2584-41-0x00000000002E0000-0x000000000031A000-memory.dmp

memory/2584-49-0x0000000002220000-0x0000000002221000-memory.dmp

memory/2584-48-0x00000000021F0000-0x00000000021F1000-memory.dmp

memory/2584-47-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/2584-46-0x0000000002210000-0x0000000002211000-memory.dmp

memory/2584-45-0x0000000002230000-0x0000000002231000-memory.dmp

memory/2584-56-0x0000000002240000-0x0000000002241000-memory.dmp

memory/2584-55-0x00000000021D0000-0x00000000021D1000-memory.dmp

C:\Windows\SysWOW64\jerzo.bat

MD5 cf5384d512296c9da2f73b59d16befb0
SHA1 6aa142f14d9186fd09aa37a1429ddb20cb35f23b
SHA256 23feea9f05fd965ec475b87df9ba906bb2ebe8d50f3bbab7ddcc6eaf2eca5eab
SHA512 b74fa66be366f42ef37cd076a89d1fa5e84e111a41852b264411ce38598cbb2d5086b0f2b69ba14d1c8146caa3aefbdfd26a1bddcd6befd1649d40e3f88662ed

memory/2584-71-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\aiubnfe.bat

MD5 3ade5c71f8fe526ef11fac62ad48055f
SHA1 3b5fb943b1e40f770559d47c1334f9fb5bd2af7a
SHA256 ea1e26112fd7b2a3c06deb8b59cdeaca4fd8ba6cb99fbc1749c7f8b37cc59b93
SHA512 23a14797e226a1a677be7b56cc08d234b52f0ecc05c13a1a5742c3abcf28969f80ac2bfe363c6c188d2c3065c8d3f339c5a532237f4f817b579febfeae54e09f

memory/2368-95-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2368-94-0x0000000002FE0000-0x0000000003016000-memory.dmp

C:\Windows\SysWOW64\ugys.bat

MD5 e02cf6ef584a7c20e2843ae0d30e8284
SHA1 3c7419c138cfda00e3f659bae7ca9428cfef968e
SHA256 d23e5d25fcdd9e50561b4e4f02202cab69a29dde8f4cae19631cbbdb84009777
SHA512 361956be384e14cd9fcf789f3f6c74d63e1415af5537d266de58a2ac6536f7d41a4b2c09c90b0912414392f46648c25b1b25c76cf0998bba6d93bc0a9495e1bf

memory/2240-117-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1164-121-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1164-122-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1164-128-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1164-129-0x0000000000400000-0x0000000000436000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 11:55

Reported

2024-06-20 11:57

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\algs.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\lssas.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\winamp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\algs.exe N/A
N/A N/A C:\Windows\SysWOW64\lssas.exe N/A
N/A N/A C:\Windows\SysWOW64\winamp.exe N/A
N/A N/A C:\Windows\SysWOW64\logon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows DLL Loader = "C:\\Windows\\system32\\logon.exe" C:\Windows\SysWOW64\logon.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\algs.exe C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\winamp.exe C:\Windows\SysWOW64\lssas.exe N/A
File created C:\Windows\SysWOW64\logon.exe C:\Windows\SysWOW64\winamp.exe N/A
File created C:\Windows\SysWOW64\dpkvbihk.bat C:\Windows\SysWOW64\algs.exe N/A
File opened for modification C:\Windows\SysWOW64\winamp.exe C:\Windows\SysWOW64\lssas.exe N/A
File created C:\Windows\SysWOW64\tltg.bat C:\Windows\SysWOW64\lssas.exe N/A
File opened for modification C:\Windows\SysWOW64\logon.exe C:\Windows\SysWOW64\winamp.exe N/A
File created C:\Windows\SysWOW64\wosm.bat C:\Windows\SysWOW64\winamp.exe N/A
File created C:\Windows\SysWOW64\algs.exe C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\lssas.exe C:\Windows\SysWOW64\algs.exe N/A
File opened for modification C:\Windows\SysWOW64\lssas.exe C:\Windows\SysWOW64\algs.exe N/A
File created C:\Windows\SysWOW64\logon.exe C:\Windows\SysWOW64\logon.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe C:\Windows\SysWOW64\algs.exe
PID 2324 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe C:\Windows\SysWOW64\algs.exe
PID 2324 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe C:\Windows\SysWOW64\algs.exe
PID 2056 wrote to memory of 3668 N/A C:\Windows\SysWOW64\algs.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 3668 N/A C:\Windows\SysWOW64\algs.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 3668 N/A C:\Windows\SysWOW64\algs.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2792 N/A C:\Windows\SysWOW64\algs.exe C:\Windows\SysWOW64\lssas.exe
PID 2056 wrote to memory of 2792 N/A C:\Windows\SysWOW64\algs.exe C:\Windows\SysWOW64\lssas.exe
PID 2056 wrote to memory of 2792 N/A C:\Windows\SysWOW64\algs.exe C:\Windows\SysWOW64\lssas.exe
PID 2792 wrote to memory of 456 N/A C:\Windows\SysWOW64\lssas.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 456 N/A C:\Windows\SysWOW64\lssas.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 456 N/A C:\Windows\SysWOW64\lssas.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 3352 N/A C:\Windows\SysWOW64\lssas.exe C:\Windows\SysWOW64\winamp.exe
PID 2792 wrote to memory of 3352 N/A C:\Windows\SysWOW64\lssas.exe C:\Windows\SysWOW64\winamp.exe
PID 2792 wrote to memory of 3352 N/A C:\Windows\SysWOW64\lssas.exe C:\Windows\SysWOW64\winamp.exe
PID 3352 wrote to memory of 3936 N/A C:\Windows\SysWOW64\winamp.exe C:\Windows\SysWOW64\cmd.exe
PID 3352 wrote to memory of 3936 N/A C:\Windows\SysWOW64\winamp.exe C:\Windows\SysWOW64\cmd.exe
PID 3352 wrote to memory of 3936 N/A C:\Windows\SysWOW64\winamp.exe C:\Windows\SysWOW64\cmd.exe
PID 3352 wrote to memory of 656 N/A C:\Windows\SysWOW64\winamp.exe C:\Windows\SysWOW64\logon.exe
PID 3352 wrote to memory of 656 N/A C:\Windows\SysWOW64\winamp.exe C:\Windows\SysWOW64\logon.exe
PID 3352 wrote to memory of 656 N/A C:\Windows\SysWOW64\winamp.exe C:\Windows\SysWOW64\logon.exe

Processes

C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\05c2b60ebbdb310855d7f5c3f6d3e9e4_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\phzd.bat" "

C:\Windows\SysWOW64\algs.exe

C:\Windows\system32\algs.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\SysWOW64\dpkvbihk.bat" "

C:\Windows\SysWOW64\lssas.exe

C:\Windows\system32\lssas.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\SysWOW64\tltg.bat" "

C:\Windows\SysWOW64\winamp.exe

C:\Windows\system32\winamp.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\SysWOW64\wosm.bat" "

C:\Windows\SysWOW64\logon.exe

C:\Windows\system32\logon.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 l.abelc.com udp
US 54.209.32.212:8998 l.abelc.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 52.71.57.184:8998 l.abelc.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 l.f8e.biz udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2324-0-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2324-1-0x00000000008E0000-0x000000000091A000-memory.dmp

memory/2324-6-0x00000000009E0000-0x00000000009E1000-memory.dmp

memory/2324-5-0x0000000000980000-0x0000000000981000-memory.dmp

memory/2324-4-0x00000000009B0000-0x00000000009B1000-memory.dmp

memory/2324-3-0x00000000008A0000-0x00000000008A1000-memory.dmp

memory/2324-2-0x00000000009A0000-0x00000000009A1000-memory.dmp

memory/2324-7-0x0000000002350000-0x0000000002351000-memory.dmp

memory/2324-20-0x0000000002360000-0x0000000002361000-memory.dmp

memory/2324-19-0x0000000002300000-0x0000000002301000-memory.dmp

memory/2324-18-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/2324-17-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/2324-11-0x0000000002340000-0x0000000002341000-memory.dmp

memory/2324-10-0x0000000002310000-0x0000000002311000-memory.dmp

memory/2324-9-0x00000000022C0000-0x00000000022C1000-memory.dmp

memory/2324-8-0x0000000002330000-0x0000000002331000-memory.dmp

memory/2324-23-0x00000000023B0000-0x00000000023B1000-memory.dmp

C:\Windows\SysWOW64\algs.exe

MD5 05c2b60ebbdb310855d7f5c3f6d3e9e4
SHA1 830bd8f65780f629f942c6730ca0e8abb53a22b3
SHA256 33cfba988c9cbbcb1f65079b2ff79c335b5167e85a512c4ffc7e0b1693710b70
SHA512 35d60d2473849f999d9c96621c2f0cc3d73a31e738352ac7c564c52ed2de59b6a1570a5b4720f25e02c50adb63a058cfdc269c1b62af6341831720513736c85a

memory/2056-28-0x00000000006B0000-0x00000000006EA000-memory.dmp

memory/2324-31-0x00000000008E0000-0x000000000091A000-memory.dmp

memory/2056-33-0x0000000002160000-0x0000000002161000-memory.dmp

memory/2056-32-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/2324-30-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2056-27-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\phzd.bat

MD5 d7b4d32547cfabf48faf1c8204ac02d6
SHA1 7183e0175e7e6f11df935f0917af1084ed67fd6c
SHA256 843d0ca3eb11885dfe205cdf07108acf418b54b57b6e173aa9a3e9d86f752330
SHA512 9925017355085906c33cfe126596574153ba4d24d531c7ce874c4486d791021a567c3a0a4beabe91727721dd183736ba23c819a55cf84cb1dcc6b5ee562388dc

memory/2056-35-0x0000000002390000-0x0000000002391000-memory.dmp

memory/2056-46-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/2056-45-0x0000000002340000-0x0000000002341000-memory.dmp

memory/2056-44-0x0000000002320000-0x0000000002321000-memory.dmp

memory/2056-43-0x0000000002380000-0x0000000002381000-memory.dmp

memory/2056-42-0x0000000002350000-0x0000000002351000-memory.dmp

memory/2056-41-0x0000000002300000-0x0000000002301000-memory.dmp

memory/2056-50-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/2792-57-0x00000000007B0000-0x00000000007EA000-memory.dmp

memory/2792-56-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2056-55-0x00000000006B0000-0x00000000006EA000-memory.dmp

memory/2056-54-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\dpkvbihk.bat

MD5 ca0ca1cb07dfe5738a2ce9f18962c0a7
SHA1 34ca497edcfb7a75a71626b819f0c56a9643a740
SHA256 88a366e05929d84be87f704196e4d593edbef4e1473b33079906173cb9f44266
SHA512 a07346b3450332c7b5511b5985253a7451a0661fda00ff43e893e7ade1f6c2c8e647b7f08e8289b99062c207f43577090238fafeeec42a6e5535581d0754e52e

memory/2792-59-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/2792-58-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/2792-65-0x0000000002300000-0x0000000002301000-memory.dmp

memory/2792-74-0x00000000007B0000-0x00000000007EA000-memory.dmp

memory/2792-72-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\tltg.bat

MD5 d0bd6a103048e975180d033fe1d8525e
SHA1 a95db39b26e76f7a4f71552bd06b91595fc85f54
SHA256 9567d4741470a88603602fc0c570d6bed1d15aa29472ee26ce24bf95cb9b27a8
SHA512 7824d03ae9a5696dbfef2df5c2779c3a8d51e123ae9cfbbfa43f78a85d105446fd66344f1f9c53a1018675ca0c0ab126884f6d0ae66e607bb36f6c4652197c28

memory/3352-86-0x0000000000400000-0x0000000000436000-memory.dmp

memory/656-88-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\wosm.bat

MD5 58397c4a2d830d92a1eb2803357a197f
SHA1 198b55a5bf4e7761b54fd9ab79e9e3c11c4d5180
SHA256 ed7257face0b2b2500ab354270cc2e17bdb3df23b33d08e235ba13590232eaf8
SHA512 5cd79c91b453b9db4fc2de2e03588713afd2a0c2c55739d8774d65ba2026e8e1ce9d18b19d5dbc311ce893eb7ab4ef8ce1cae5aaaf513ad34dd0582d7a6abd6c

memory/656-90-0x0000000000400000-0x0000000000436000-memory.dmp

memory/656-92-0x0000000000400000-0x0000000000436000-memory.dmp

memory/656-98-0x0000000000400000-0x0000000000436000-memory.dmp