Malware Analysis Report

2024-10-23 19:31

Sample ID 240620-xhzapssekf
Target 08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118
SHA256 def80d52865a8f5abe1a54989c9869c456f8c2d9722a82dde46f0822ce403977
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

def80d52865a8f5abe1a54989c9869c456f8c2d9722a82dde46f0822ce403977

Threat Level: Known bad

The file 08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Deletes itself

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-20 18:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 18:51

Reported

2024-06-20 18:54

Platform

win7-20240419-en

Max time kernel

141s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\_rejoice813.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe N/A
File opened for modification C:\Windows\SysWOW64\_rejoice813.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2636 set thread context of 2656 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 set thread context of 2704 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe
PID 1732 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe
PID 1732 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe
PID 1732 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe
PID 2636 wrote to memory of 2656 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2656 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2656 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2656 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2656 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2656 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 1732 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2568 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2568 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2568 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2568 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2568 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2568 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2576 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2576 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2576 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2576 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2576 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2576 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1700 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1700 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1700 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1700 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1700 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1700 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2704 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2704 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2704 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2704 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2704 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2704 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2116 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2116 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2116 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2116 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2116 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2116 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1196 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1196 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1196 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1196 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1196 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1196 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1228 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1228 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1228 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1228 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1228 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1228 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2644 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2644 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2644 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2644 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2644 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 2644 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1708 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2636 wrote to memory of 1708 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 w125.3322.org udp

Files

memory/1732-1-0x0000000000400000-0x000000000053B000-memory.dmp

memory/1732-2-0x00000000004C7000-0x000000000053A000-memory.dmp

memory/1732-5-0x0000000000400000-0x000000000053B000-memory.dmp

\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice813.exe

MD5 08d2170af43c86ed97d0dac1ff5dda13
SHA1 1a392945351dcf710e5ff89bbd84e4ca0042d018
SHA256 def80d52865a8f5abe1a54989c9869c456f8c2d9722a82dde46f0822ce403977
SHA512 1f5920c454955f939d2c8be06282a48342b70fd9c2c5f110ec1fa2c3e94d254192404218a1c0608dd5351c8794155ada85a0b2d964f53448a2b846ebf32fab6a

memory/1732-13-0x00000000030F0000-0x000000000322B000-memory.dmp

memory/2636-16-0x0000000000400000-0x000000000053B000-memory.dmp

memory/1732-12-0x00000000030F0000-0x000000000322B000-memory.dmp

memory/2636-20-0x0000000000400000-0x000000000053B000-memory.dmp

memory/2656-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSInfo\Delet.bat

MD5 1c26e6dbd374899a7b0bceeeeb790b18
SHA1 10f738dc8709ca4497585c86b6a7d7a02631202a
SHA256 4ee0afb71247d02c06e3ab15ba26e1b3f576149e5ab3b97b8226bda616420e85
SHA512 89ee2cdfde82f43bb05675952fde27f49671ef9b3a431541c1e8cfab953466d98d35b5257fc2845e65ef0799befd783c590767fe3b93c76016f68839f6c68bcb

memory/1732-35-0x0000000000400000-0x000000000053B000-memory.dmp

memory/1732-34-0x00000000004C7000-0x000000000053A000-memory.dmp

memory/2568-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2636-42-0x0000000000400000-0x000000000053B000-memory.dmp

memory/2576-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1700-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2704-53-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2116-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1196-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1196-70-0x0000000000520000-0x0000000000520000-memory.dmp

memory/1228-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2644-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1708-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/688-88-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/828-94-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2888-104-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 18:51

Reported

2024-06-20 18:54

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\_rejoice813.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe N/A
File created C:\Windows\SysWOW64\_rejoice813.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\calc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4816 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe
PID 4816 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe
PID 4816 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe
PID 4496 wrote to memory of 2976 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 2976 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 2976 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 2976 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 2976 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4816 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 3136 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 3136 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 3136 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 1464 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 1464 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 1464 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 1464 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 1464 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 3456 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 3456 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 3456 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 3896 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 3896 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 3896 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4296 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4296 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4296 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4296 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4296 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 1368 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 1368 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 1368 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 392 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 392 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 392 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 392 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 392 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4476 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4476 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4476 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4580 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4580 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4580 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4580 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4580 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4976 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4976 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4976 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4976 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4976 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4520 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4520 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4520 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4520 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 4520 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 3056 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 3056 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 3056 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 3056 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 3056 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 1892 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 1892 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 4496 wrote to memory of 1892 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\08d2170af43c86ed97d0dac1ff5dda13_JaffaCakes118.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2976 -ip 2976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 12

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1464 -ip 1464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 12

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4296 -ip 4296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 12

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 392 -ip 392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 12

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4580 -ip 4580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 12

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4976 -ip 4976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 12

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4520 -ip 4520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 12

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3056 -ip 3056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 12

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1084 -ip 1084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 12

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 w125.3322.org udp
US 8.8.8.8:53 w125.3322.org udp
US 8.8.8.8:53 w125.3322.org udp

Files

memory/4816-0-0x0000000000400000-0x000000000053B000-memory.dmp

memory/4816-1-0x0000000000400000-0x000000000053B000-memory.dmp

memory/4816-2-0x00000000004C7000-0x000000000053A000-memory.dmp

memory/4816-3-0x0000000000400000-0x000000000053B000-memory.dmp

C:\Program Files\Common Files\microsoft shared\MSInfo\rejoice813.exe

MD5 08d2170af43c86ed97d0dac1ff5dda13
SHA1 1a392945351dcf710e5ff89bbd84e4ca0042d018
SHA256 def80d52865a8f5abe1a54989c9869c456f8c2d9722a82dde46f0822ce403977
SHA512 1f5920c454955f939d2c8be06282a48342b70fd9c2c5f110ec1fa2c3e94d254192404218a1c0608dd5351c8794155ada85a0b2d964f53448a2b846ebf32fab6a

memory/4496-10-0x0000000000400000-0x000000000053B000-memory.dmp

memory/4496-13-0x0000000000400000-0x000000000053B000-memory.dmp

memory/4816-19-0x00000000004C7000-0x000000000053A000-memory.dmp

memory/4816-18-0x0000000000400000-0x000000000053B000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat

MD5 1c26e6dbd374899a7b0bceeeeb790b18
SHA1 10f738dc8709ca4497585c86b6a7d7a02631202a
SHA256 4ee0afb71247d02c06e3ab15ba26e1b3f576149e5ab3b97b8226bda616420e85
SHA512 89ee2cdfde82f43bb05675952fde27f49671ef9b3a431541c1e8cfab953466d98d35b5257fc2845e65ef0799befd783c590767fe3b93c76016f68839f6c68bcb

memory/4496-22-0x0000000000400000-0x000000000053B000-memory.dmp

memory/4496-25-0x0000000000400000-0x000000000053B000-memory.dmp