Malware Analysis Report

2024-08-06 17:34

Sample ID 240624-l9qbbsxaqb
Target 07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118
SHA256 d230c75cac484403eb21527cfb791b0f26bedc51ea31de00c726701d7910930c
Tags
darkcomet guest16 aspackv2 evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d230c75cac484403eb21527cfb791b0f26bedc51ea31de00c726701d7910930c

Threat Level: Known bad

The file 07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet guest16 aspackv2 evasion persistence rat trojan

Modifies WinLogon for persistence

Modifies firewall policy service

Modifies security service

Darkcomet

Windows security bypass

Disables Task Manager via registry modification

Sets file to hidden

Executes dropped EXE

ASPack v2.12-2.42

Loads dropped DLL

Windows security modification

Adds Run key to start application

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Disable or Modify System Firewall
T1562.004
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-24 10:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 10:14

Reported

2024-06-24 10:16

Platform

win7-20240611-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\msdcsc.exe" \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A

Disables Task Manager via registry modification

evasion

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\calc.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\calc.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe" \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe" \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\MSDCSC\msdcsc.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
File opened for modification C:\Windows\MSDCSC\msdcsc.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
File opened for modification C:\Windows\MSDCSC\ \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118.exe N/A
Token: 33 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE N/A
Token: SeIncBasePriorityPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeSecurityPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeTakeOwnershipPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeLoadDriverPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeSystemProfilePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeSystemtimePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeProfSingleProcessPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeIncBasePriorityPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeCreatePagefilePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeBackupPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeRestorePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeShutdownPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeDebugPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeSystemEnvironmentPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeChangeNotifyPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeRemoteShutdownPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeUndockPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeManageVolumePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeImpersonatePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeCreateGlobalPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: 33 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: 34 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: 35 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe N/A
Token: SeIncreaseQuotaPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeBackupPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeRestorePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeDebugPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeUndockPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeManageVolumePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeImpersonatePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: SeCreateGlobalPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: 33 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: 34 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A
Token: 35 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1844 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE
PID 1844 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE
PID 1844 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE
PID 1844 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE
PID 2024 wrote to memory of 3032 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe
PID 2024 wrote to memory of 3032 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe
PID 2024 wrote to memory of 3032 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe
PID 2024 wrote to memory of 3032 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe
PID 3032 wrote to memory of 2544 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe
PID 3032 wrote to memory of 2544 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe
PID 3032 wrote to memory of 2544 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe
PID 3032 wrote to memory of 2544 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe
PID 3032 wrote to memory of 2724 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe
PID 3032 wrote to memory of 2724 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe
PID 3032 wrote to memory of 2724 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe
PID 3032 wrote to memory of 2724 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe
PID 3032 wrote to memory of 2496 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 3032 wrote to memory of 2496 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 3032 wrote to memory of 2496 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 3032 wrote to memory of 2496 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 3032 wrote to memory of 2496 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 3032 wrote to memory of 2496 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 3032 wrote to memory of 2496 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 3032 wrote to memory of 2496 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 3032 wrote to memory of 2496 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 3032 wrote to memory of 2496 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 3032 wrote to memory of 2496 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 3032 wrote to memory of 2496 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 3032 wrote to memory of 2496 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 3032 wrote to memory of 2496 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 3032 wrote to memory of 2496 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 3032 wrote to memory of 2496 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 3032 wrote to memory of 2496 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 3032 wrote to memory of 2496 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 2496 wrote to memory of 2248 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe C:\Windows\SysWOW64\WerFault.exe
PID 2496 wrote to memory of 2248 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe C:\Windows\SysWOW64\WerFault.exe
PID 2496 wrote to memory of 2248 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe C:\Windows\SysWOW64\WerFault.exe
PID 2496 wrote to memory of 2248 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe C:\Windows\SysWOW64\WerFault.exe
PID 2724 wrote to memory of 2380 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe
PID 2724 wrote to memory of 2380 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe
PID 2724 wrote to memory of 2380 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe
PID 2724 wrote to memory of 2380 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe
PID 2544 wrote to memory of 888 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe
PID 2544 wrote to memory of 888 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe
PID 2544 wrote to memory of 888 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe
PID 2544 wrote to memory of 888 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe
PID 3032 wrote to memory of 1428 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe
PID 3032 wrote to memory of 1428 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe
PID 3032 wrote to memory of 1428 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe
PID 3032 wrote to memory of 1428 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe
PID 2024 wrote to memory of 2844 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\calc.exe
PID 2024 wrote to memory of 2844 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\calc.exe
PID 2024 wrote to memory of 2844 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\calc.exe
PID 2024 wrote to memory of 2844 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\calc.exe
PID 1428 wrote to memory of 980 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 1428 wrote to memory of 980 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 1428 wrote to memory of 980 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 1428 wrote to memory of 980 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 1428 wrote to memory of 980 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 1428 wrote to memory of 980 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 1428 wrote to memory of 980 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 1428 wrote to memory of 980 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 1428 wrote to memory of 980 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe
PID 1428 wrote to memory of 980 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118.exe"

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE

"C:\Users\Admin\AppData\Local\Temp\3.EXE"

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe" +s +h

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP" +s +h

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe

notepad

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 48

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@WINDIR@\MSDCSC\msdcsc.exe

"C:\Windows\MSDCSC\msdcsc.exe"

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP" +s +h

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe" +s +h

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\calc.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\calc.exe

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe

notepad

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 48

Network

Country Destination Domain Proto
US 8.8.8.8:53 badrou.no-ip.org udp
US 8.8.8.8:53 pidrou.no-ip.org udp
N/A 192.168.0.10:1604 tcp
N/A 192.168.0.10:1604 tcp
N/A 192.168.0.10:1604 tcp
N/A 192.168.0.10:1604 tcp
N/A 192.168.0.10:1604 tcp
N/A 192.168.0.10:1604 tcp
N/A 192.168.0.10:1604 tcp

Files

memory/1844-8-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1844-7-0x00000000771B0000-0x00000000771B1000-memory.dmp

memory/1844-6-0x00000000004A0000-0x0000000000512000-memory.dmp

memory/1844-5-0x00000000004A0000-0x0000000000512000-memory.dmp

memory/1844-4-0x0000000010000000-0x0000000010037000-memory.dmp

memory/1844-3-0x0000000010000000-0x0000000010037000-memory.dmp

memory/1844-2-0x0000000010000000-0x0000000010037000-memory.dmp

memory/1844-1-0x0000000010000000-0x0000000010037000-memory.dmp

memory/1844-0-0x0000000010000000-0x0000000010037000-memory.dmp

memory/1844-9-0x00000000004A0000-0x0000000000512000-memory.dmp

\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\3.EXE

MD5 0aac696a50c6ffc925cca50c35943ba9
SHA1 a8201cb0a493a72c44de26efa0abd34120065d47
SHA256 2895097e1b99171f8559e13a2744dd45b0c6e6ae445426abb556c71d02e79c6e
SHA512 ac20f4af08f73691113531664080ab5fd621b82c8a40dbbc89f01c084fd9f24ce53eed242b33d8c2b792f0fde82b271b91b0c0609e99f52250beb6f0b7f8cc00

memory/1844-12-0x0000000004D20000-0x0000000004D9F000-memory.dmp

memory/1844-11-0x0000000004D20000-0x0000000004D9F000-memory.dmp

memory/2024-14-0x0000000001000000-0x000000000107F000-memory.dmp

memory/2024-19-0x0000000001000000-0x000000000107F000-memory.dmp

memory/2024-21-0x0000000001000000-0x000000000107F000-memory.dmp

memory/2024-20-0x0000000001000000-0x000000000107F000-memory.dmp

memory/2024-17-0x0000000001000000-0x000000000107F000-memory.dmp

memory/2024-16-0x0000000001000000-0x000000000107F000-memory.dmp

memory/2024-18-0x0000000001000000-0x000000000107F000-memory.dmp

memory/1844-22-0x00000000004A0000-0x0000000000512000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe

MD5 231df7766102e8e01aaff3d0e9af0c36
SHA1 dea67a0d50fc1842ce87daa148dd5d13d9972249
SHA256 6481af14e36b8a03827caaf5c408df485a278c7508b95d232b4448a94acef624
SHA512 dcf643c8ee0710b0ea4eebbe0b1a231f2401948a055b1165b4cfdc8a908717f5bec7715dff7564633538bb31fbac70b85aa39089353906d9bca30ba465633cb8

\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\2.exe

MD5 6f0095cf93a995e546d7edae6e081e49
SHA1 eefaa73d35e88fbb6254eb883d8afd530bfa4ba1
SHA256 fc27a2e191daf1b4ecb5f9b9baa62f18143675a3792f0d3dc5ef5f0be1f5a4cb
SHA512 874b2a91aee40a0360f3b5ab93e58cf39a3670949e828869905d4a05873b33ccb026eabfeee0837220582f1e0e111a4b07473326c7e520e6e7f9236d822a34c1

memory/3032-41-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/3032-55-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/3032-56-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/3032-54-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/3032-53-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/3032-49-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/3032-47-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/3032-44-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2024-45-0x0000000000C40000-0x0000000000D25000-memory.dmp

memory/3032-43-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/3032-42-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/3032-40-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/3032-39-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/3032-51-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/3032-57-0x00000000005B0000-0x0000000000622000-memory.dmp

\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe

MD5 ae94a75a83cbe2307b932b3af492d5ce
SHA1 a5c3d44899c3d133815c1d74a0016190f5394999
SHA256 d111c6f792e77b3c81a1be1c3c95db71cd53bdd8fe5027cb8734f71315816407
SHA512 feabae30331f399767d5dfecca2a4d72cbae3f1dd234e18585ea12cde683fb169814627cd32b98ccfb8824ef33b34f121ecb4824715a12fef4719033d8ca969b

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\notepad.exe

MD5 ff1483d8bb2144a0d88e9f768fc9e7ae
SHA1 0fdc73ea2206c46cde661dd94252073e742429b9
SHA256 f6da548fe834f1e1a8911f47f73d810405fb7f234ebdd48f6d8f52c8c0545442
SHA512 ea6e5e2b0afc4ad7b124e974bca697485ded076cd17a1e8f85b3348f389f84178557f8b66f08126ca9473cc9ad9c10fdf8d9c074eacc261ef7069c4262b3a3bc

memory/2496-65-0x00000000000F0000-0x00000000000F1000-memory.dmp

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@SYSTEM@\attrib.exe

MD5 17bdb0d40b76c272137d0a3283559a83
SHA1 40462e7a47f94c11c9ff7ae5bc826b48f95be57e
SHA256 21866c2264e2edd4458940b0bc3730568e9867b4ac2177b4e7c1ddf601b81f4b
SHA512 d7e43ddb689872288ed98486eebc01579459e4bd6c505d55b4bff1cbde534871f1dc538550be93ea97a1c76a6afabebdbad5a5d99867b284a164b48653f8e0cf

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\calc.exe

MD5 5911f4ae105c7469636f7adcea35349f
SHA1 75372f91b19e681485f9d146bb7f002e52b23466
SHA256 4d63c6edf9d072dfaaeddba1cc3604b50aff71a32fc56867e98fe3f07c44c089
SHA512 87712ade1de2e72cbb7602f22a864f13b20bc6bcb28c3b8597eb0693b85a1b5543b58f2b785c6ebb32daba3cbb836277ad4d644a13a522557a544a13084e85d3

memory/3032-144-0x00000000045E0000-0x00000000046C5000-memory.dmp

\Users\Admin\AppData\Local\Xenocode\Sandbox\calcu\2\2012.05.12T13.28\Native\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\IXP000.TMP\calc.exe

MD5 8cda402922b0e6be94fb07fb0dc166ed
SHA1 a7ff8a3bebbb49b43d2cd83eacf0c863d0952e6d
SHA256 310ee6018b1bb1d1729710bab2577f3d0872d5a78b2134f9918bb27ddeebfd22
SHA512 793c39f3ec527315310b6fcbe8a33a4bb97ce2585ad05ed5ee467a44fcff0b033e4c043e31c39d61f2823d7b485a52ff71972e098f99d0185c0cd548ca2d612f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 10:14

Reported

2024-06-24 10:16

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\07e743a748a1bbb51e47e0682b6943ef_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 268

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3172-0-0x00000000005A0000-0x0000000000612000-memory.dmp

memory/3172-1-0x00000000772E2000-0x00000000772E3000-memory.dmp

memory/3172-2-0x0000000000400000-0x0000000000401000-memory.dmp

memory/3172-3-0x00000000005A0000-0x0000000000612000-memory.dmp