Malware Analysis Report

2024-10-19 06:59

Sample ID 240620-wj669szfnh
Target 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118
SHA256 173b5946fd6bc355b0969bbf059b3c68e8224029486cac28af1c88a2677336bf
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

173b5946fd6bc355b0969bbf059b3c68e8224029486cac28af1c88a2677336bf

Threat Level: Known bad

The file 086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Executes dropped EXE

Deletes itself

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 17:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 17:58

Reported

2024-06-20 18:00

Platform

win7-20240419-en

Max time kernel

134s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened for modification F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\_rejoice81.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe N/A
File opened for modification C:\Windows\SysWOW64\_rejoice81.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2052 set thread context of 2608 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\Windows\SysWOW64\calc.exe
PID 2052 set thread context of 2912 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\program files\internet explorer\IEXPLORE.EXE

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A7762691-2F2E-11EF-BBEC-C662D38FA52F} = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425068157" C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe
PID 1704 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe
PID 1704 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe
PID 1704 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe
PID 2052 wrote to memory of 2608 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\Windows\SysWOW64\calc.exe
PID 2052 wrote to memory of 2608 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\Windows\SysWOW64\calc.exe
PID 2052 wrote to memory of 2608 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\Windows\SysWOW64\calc.exe
PID 2052 wrote to memory of 2608 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\Windows\SysWOW64\calc.exe
PID 2052 wrote to memory of 2608 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\Windows\SysWOW64\calc.exe
PID 2052 wrote to memory of 2608 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\Windows\SysWOW64\calc.exe
PID 2052 wrote to memory of 2912 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2052 wrote to memory of 2912 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2052 wrote to memory of 2912 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2052 wrote to memory of 2912 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2052 wrote to memory of 2912 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 1704 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2496 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 2496 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 2496 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 2496 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1704-0-0x0000000000400000-0x0000000000509000-memory.dmp

memory/1704-2-0x0000000000400000-0x0000000000509000-memory.dmp

memory/1704-1-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/1704-3-0x00000000006A0000-0x00000000006A1000-memory.dmp

C:\AutoRun.inf

MD5 ec717a148c0c1573ad6a89a66095c8a0
SHA1 2677e5c816b191a5941be928f014ec201e7de18f
SHA256 d9c1af73c937692718c241a501d6213fac7803ab2f8504a845a540baf047c218
SHA512 1a925338fbdbb79bb8e38064b092d5a2dbd47095751ac9e88490f255db050598f209aa97da0d8a9984e173059cb13019d2f187d0efc9777afc6fcf82fb763797

F:\rejoice81.exe

MD5 086f4dd9584cc8d05f6b56a6b68dc747
SHA1 35091173ecfce7cf0b1beae0741376bf454d311f
SHA256 173b5946fd6bc355b0969bbf059b3c68e8224029486cac28af1c88a2677336bf
SHA512 1dbb99bdd7de99ec27dd2c0b07618f8e7ad61cf22849d9abbdf4314c04fe58507dc1467bffa9178a01e4033a276ce561492809d67d7ab07aa09e977c6056a07c

memory/1704-30-0x0000000002F60000-0x0000000003069000-memory.dmp

memory/2052-32-0x0000000000400000-0x0000000000509000-memory.dmp

memory/2052-33-0x0000000000400000-0x0000000000509000-memory.dmp

memory/2052-34-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2608-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ReDelBat.bat

MD5 91baa46248787aaf15cf57f165af25d0
SHA1 243ac9b44e75904237773767c65b9a1bf15c984e
SHA256 3e037b955fafb0da7f2f60d5e2bc8a73f32e3f2a646fbf90459812d52e7a4c9c
SHA512 2ceafcc236a7017128f36991f7faeb8b2b9d3db04a4f988c85f484854543449b4bf6a521e1bf41a64e4f7d91ea8fff672e94b464fbc1345a643ea2de9536082a

memory/2912-45-0x00000000001F0000-0x00000000002F9000-memory.dmp

memory/2608-46-0x0000000000470000-0x0000000000470000-memory.dmp

memory/1704-55-0x0000000000400000-0x0000000000509000-memory.dmp

memory/2052-54-0x0000000000400000-0x0000000000509000-memory.dmp

memory/2608-42-0x0000000000400000-0x0000000000509000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab33EF.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar3473.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 efa6102f4852448c4b993a78f8753e59
SHA1 02d940291b00c363073ea43f582e3c7c814a4a79
SHA256 fa11811b56ab5a4b4ff561296024e98c58fe53e36ca67d7f3aec8796e29b278d
SHA512 07702be8ebc2b94075ff9e11eaa5be8771fb5ee6cbfa8645f75ef6eb2d0571aa5d9fe787a4b7191a7b730b0dba8bd5b2e3cf259fbfc76b443d9aa1512ed849a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b692085498817f4361bbe7e26f183298
SHA1 ef79c201c3e2dd0e90157192a886d1aff65ecf8e
SHA256 17bd516a16da3bb3985392ed82f2fa54928465eefd2018a268fde9a94f881297
SHA512 55ee40516246e67a66128b4cecc909818cf671a24b5955961d464cdd4e6567c0af75ca87aab737897894085f4ecb43723a6427ed206340f4402d2039b0987618

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 357c06479909deee0afc0ad4a0f1694f
SHA1 b24433a94cb994542f839cb9c2f0cc6e118ee390
SHA256 15f046d331a2c0bc3427389c029c7bb33b72aa97ffa97d5ae6bfb570ee76c85b
SHA512 b8ebf3e7b89fe75b7c538006d7b4bf94020e8e88011004a484d11476e6e14dc500b5e23203a829abf27bf69751f385ded228ff833e2cbf2b8613b58e52cf22c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c17becaab2e7a27819508c73b2de4c2
SHA1 b136820dbee5dc026b139c22cd45282ca76e6b16
SHA256 0fb0f8b029ad7c32f40f0c6d7a17399f6f1ee7dc751bc95371bc49e7a9234f61
SHA512 74195ec54882c3af5b04ae93ce336f0162610097a80a2e876a7be07732cb690a9700f58e1aca2b2a970842fc7acecd03b59c10517d111618a3f5649105c5dac0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c75feaa1d5643b5b3099d0486ba5d16b
SHA1 b2af3375a5d4e41d7a1a5563617028dea3b91d1a
SHA256 4227dd475d53c68313adc3f6cd12eddde1dfe4db44b218c483ca500b1985a372
SHA512 d61107550d4325f6981452b1e246cef46c0069f6a691583c6e18f26f5327f50cf67e62453236fbac4217aa0d9557590ec206ff3c2d35883870ecbcd378382f20

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3abbdec4c16e63582d39739b9fb88da0
SHA1 2b7c87c2f4aff656b66f4fd8bf95abfff3948abe
SHA256 14f4d8a0cd67a0002dfb21a04c8254d85ffd1176f146fc2145e25f7bfcab0b01
SHA512 b6eeb931ee2540385c0c728a99bad66eb27acd2bb4419d76ec8ddf50defb0aa73eb72226ec107d15ab9abd03feef4b04162d705ba8dce2f2e1a3f217e0ac8565

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c47d0b947480003e952c8186af73d4f
SHA1 0773f6a62e5a870b79488fb709357032ab4c5b6f
SHA256 cbe18714d708481bc3c0b4caf855ed4821652094dc72fc6672bd072e570ae3d1
SHA512 50b96d3424f9f130adb2dbdaa119b94e9f81aa876e65a0c7ea2b1f29c2bdeeea5a950735e9b0b6651a0b1a134dbe86781d9c495d412f99c8a9d57173f765b708

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09e449ba391f8f9338c3cff5e9f7613b
SHA1 29f849a0275272129b8a9184b69fcafc823d82a0
SHA256 92ddf7ed34146c9714927e729e9befa1d2d1ecd1d3bbae5d17b9de00234a5cbd
SHA512 cf095ccd0cc9fc169cb92e08ea70aa1051f95f8a86ef5f47288b4840f5b0d5236076c827fcbf6ff352ee519983ed643664d284d1d02d378573f9494abf401547

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f6d4fe6d1a58de3d7bafb22fa650835
SHA1 ea23bfbaa982cb1f5ec5c942c59734c383f05e0e
SHA256 1368e6876d85e1c9706ddbc12dc389762d8b956c130fddeb33017fc363e2e85a
SHA512 13277b5046551acfdb46c6605624782ab9099b5c57531c51df049edb7a6a1eb93562593afe5939324f1118b28af64d6210a902d2dbdbf151c287d767111b5a9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1a2271ad80de88f2368a2e2be3d92ad
SHA1 95804a134ab83007b3b0fa536a1b74a7cd4bcc3f
SHA256 9bb135835b1365d343a699be8d19d609b9e82e9a1d11a691cf5b65c916da6137
SHA512 a280d464e270127a7eaf6013e25c722e5eb491b79100a76ff44311e2efc22ef5a8a7b28e2d83e3100d91dc1dc6fa1f04a7f76f17c6392893da2b2f570de5d13d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33128082fc250374e18d8e5db335b2b2
SHA1 a4ef00136471f0aa288ab91e659232a04ed10baf
SHA256 608682f1c3547df13fe19b57bf2b2a6958f2ace564c32acf1491a23ffb2ab613
SHA512 8b137443eaf13be166c910ca01f7ddae9bb894481c26db563827ef311dbc266023bf2245d432894d934abeae19239870d13c58bd1439f5bc8a6acc02e5e2e1b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 091cbc9a04dd9d03e52152575267ecbc
SHA1 5189b5633b96ead01bc97a12c3599ecd308f4e76
SHA256 3c520ea00b3a2d3922fd3c1f7470b792b04f3495c7ed41ee3e1da9c5f3e65e65
SHA512 8edbf6be670100c58df0bed51210f739b0361fbe0dc9d32e27d4b03a1511e4adc3a057d2c3cceef42eaca028cf7235a7700ddc36ffc7624c4d68ff0ee486b0b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94d0f54eac21d3707464064725448101
SHA1 9b70df4c5c5d53ffd8cb77f70ab2f60299076602
SHA256 4d0f7ee78a629ed9440fcef0487414339de82752927d04620f61df4e0727851e
SHA512 2c45f6a58dd7a49445ccd202e06ede5671d3451b780b43ad03e7c1a55400b98dc05f16da9e9626a77277ac72ab980606ac4db6fea98658bdd71e9e5242cb8bbe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 651436438bc90dfe1e5aea588625bc7e
SHA1 6c33ab50d74ecdb010db869808b8e8497fc116fe
SHA256 0b83201cdaed6c3bb59df51859da94c73c992c4d2412027bac4616bf19f9a4e9
SHA512 6cdf6f18ea84fe1c6fdf12133dd810b372cf3ad635c84f008dade1a9edd3622ac9f4ddcd722e8ec17486bdbf88374fb3d1c7c89525b8164929f2aed04fd8650e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5dfebd9c945034b657afc59d01c46989
SHA1 0e08ccd7f65a686493faeabe494dc1397113204f
SHA256 8ff96556fdc8e2f5a770179f6c64bac3032f723304b0bf7529e68b75991953cd
SHA512 89cb654627222578d2636f551b6f1236c74f0d10bdfed3ae19983a13821c3368c6e143b7278cc13c598626f57168cd1493970fee358febc1650b33a0a1f7e6e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2efc2d921129c394c01cf3d3cddfd8d5
SHA1 c74e840f9fccf38377446e29fa3fc8ddcbdf712c
SHA256 1c06b57d9cb579eaf2461e847e4e1c6a5f625d27d6ec2c64a9e15917337546ca
SHA512 4441fab30f3039721cad917584690a19c4aacdf751b75fe85ea892fc64e7334914e45798a40264f4b7db921b9158dbb12d60a308f16ccc1a3a991a10cf06144d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 874fb845134821c3846ace68a7a70c3a
SHA1 79c4e8ca19430956adec07a72832c3eb82e8ccbd
SHA256 41afa6221898d42916007db582961dd5ee9b3ff0c4d19850467b758336fc4daf
SHA512 9e6c915f6fdef6006ac2c7ff56af368407db37d4c118b79f3ada640e50fb6a5034040d235acd29d66ba303c191f97e7cb1397cc38523baf364c9f0c16f4f378c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 17:58

Reported

2024-06-20 18:00

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

88s

Command Line

"C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened for modification F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\_rejoice81.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe N/A
File opened for modification C:\Windows\SysWOW64\_rejoice81.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4560 set thread context of 2088 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\Windows\SysWOW64\calc.exe
PID 4560 set thread context of 5104 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\program files\internet explorer\IEXPLORE.EXE

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\calc.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425068169" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A7FF57CE-2F2E-11EF-BCA5-5AA21198C1D4} = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1844 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe
PID 1844 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe
PID 1844 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe
PID 4560 wrote to memory of 2088 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\Windows\SysWOW64\calc.exe
PID 4560 wrote to memory of 2088 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\Windows\SysWOW64\calc.exe
PID 4560 wrote to memory of 2088 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\Windows\SysWOW64\calc.exe
PID 4560 wrote to memory of 2088 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\Windows\SysWOW64\calc.exe
PID 4560 wrote to memory of 2088 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\Windows\SysWOW64\calc.exe
PID 4560 wrote to memory of 5104 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 4560 wrote to memory of 5104 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 4560 wrote to memory of 5104 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 1844 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 4816 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 5104 wrote to memory of 4816 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 5104 wrote to memory of 4816 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\086f4dd9584cc8d05f6b56a6b68dc747_JaffaCakes118.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2088 -ip 2088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 12

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5104 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp

Files

memory/1844-0-0x0000000000400000-0x0000000000509000-memory.dmp

memory/1844-1-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/1844-2-0x0000000000400000-0x0000000000509000-memory.dmp

memory/1844-3-0x0000000002180000-0x0000000002181000-memory.dmp

C:\AutoRun.inf

MD5 ec717a148c0c1573ad6a89a66095c8a0
SHA1 2677e5c816b191a5941be928f014ec201e7de18f
SHA256 d9c1af73c937692718c241a501d6213fac7803ab2f8504a845a540baf047c218
SHA512 1a925338fbdbb79bb8e38064b092d5a2dbd47095751ac9e88490f255db050598f209aa97da0d8a9984e173059cb13019d2f187d0efc9777afc6fcf82fb763797

F:\rejoice81.exe

MD5 086f4dd9584cc8d05f6b56a6b68dc747
SHA1 35091173ecfce7cf0b1beae0741376bf454d311f
SHA256 173b5946fd6bc355b0969bbf059b3c68e8224029486cac28af1c88a2677336bf
SHA512 1dbb99bdd7de99ec27dd2c0b07618f8e7ad61cf22849d9abbdf4314c04fe58507dc1467bffa9178a01e4033a276ce561492809d67d7ab07aa09e977c6056a07c

memory/4560-27-0x0000000000400000-0x0000000000509000-memory.dmp

memory/4560-30-0x0000000002180000-0x0000000002181000-memory.dmp

memory/2088-31-0x0000000000400000-0x0000000000509000-memory.dmp

memory/5104-33-0x0000000000250000-0x0000000000359000-memory.dmp

memory/4560-37-0x0000000000400000-0x0000000000509000-memory.dmp

memory/1844-36-0x0000000000400000-0x0000000000509000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat

MD5 91baa46248787aaf15cf57f165af25d0
SHA1 243ac9b44e75904237773767c65b9a1bf15c984e
SHA256 3e037b955fafb0da7f2f60d5e2bc8a73f32e3f2a646fbf90459812d52e7a4c9c
SHA512 2ceafcc236a7017128f36991f7faeb8b2b9d3db04a4f988c85f484854543449b4bf6a521e1bf41a64e4f7d91ea8fff672e94b464fbc1345a643ea2de9536082a