Malware Analysis Report

2024-08-06 14:46

Sample ID 240624-t7l5wsvhqp
Target 09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118
SHA256 3a15d1f531ee5efd3d82e8ebac4ea5fb8277c002f73d3781ec648cf9c65c39ef
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a15d1f531ee5efd3d82e8ebac4ea5fb8277c002f73d3781ec648cf9c65c39ef

Threat Level: Known bad

The file 09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks computer location settings

Checks BIOS information in registry

Adds Run key to start application

Maps connected drives based on registry

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-24 16:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 16:41

Reported

2024-06-24 16:44

Platform

win7-20240220-en

Max time kernel

148s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2040 set thread context of 2428 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\TCP Subsystem\tcpss.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\TCP Subsystem\tcpss.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2040 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2040 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2040 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2040 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2040 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2040 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2040 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2040 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2040 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2040 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2040 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2040 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2040 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2040 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2040 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2428 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2428 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2428 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2428 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2428 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2428 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2428 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2428 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QYQmEmZh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp900F.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"{path}"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp91F3.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9261.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 strongodss.ddns.net udp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp

Files

memory/2040-0-0x0000000074A61000-0x0000000074A62000-memory.dmp

memory/2040-1-0x0000000074A60000-0x000000007500B000-memory.dmp

memory/2040-2-0x0000000074A60000-0x000000007500B000-memory.dmp

memory/2040-3-0x0000000074A60000-0x000000007500B000-memory.dmp

memory/2040-4-0x0000000074A60000-0x000000007500B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp900F.tmp

MD5 17114b06a27aea4873efbc15498f3c48
SHA1 9ed6831d93e2782e0b65cec4564b73d6d119f003
SHA256 ca0269a96097c244df29b94961007634fe4ff1dcb8585555c0114979cde9fe6e
SHA512 0c45630f442090d35882e7e72ea9efe8ef79970993b0a252c1a229ab99c7c9203f8e1fa7d9e1adfaf27d367ccf0dc89e9dfa5d28781622dc588cac6595ef4e47

memory/2428-10-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2428-12-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2428-14-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2428-8-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2428-22-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2428-20-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2428-18-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2428-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2040-23-0x0000000074A60000-0x000000007500B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp91F3.tmp

MD5 40b11ef601fb28f9b2e69d36857bf2ec
SHA1 b6454020ad2ceed193f4792b77001d0bd741b370
SHA256 c51e12d18cc664425f6711d8ae2507068884c7057092cfa11884100e1e9d49e1
SHA512 e3c5bcc714cbfca4b8058ddcddf231dcefa69c15881ce3f8123e59ed45cfb5da052b56e1945dcf8dc7f800d62f9a4eecb82bca69a66a1530787aeffeb15e2bd5

C:\Users\Admin\AppData\Local\Temp\tmp9261.tmp

MD5 4b7ef560289c0f62d0baf6f14f48a57a
SHA1 8331acb90dde588aa3196919f6e847f398fd06d1
SHA256 062844155306130d6fafc4fe10ac9e5ddd2ed462532b729c50cdc979c0d83207
SHA512 ecaa27c4b703d95f9f9b37d8c339982970482e7dab968c2010e0aa644bbfa31973111aafb827565af30c423d1d14e4ff997ec149614e713ff7ef3456894d02d8

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 16:41

Reported

2024-06-24 16:44

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Host = "C:\\Program Files (x86)\\SCSI Host\\scsihost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 116 set thread context of 436 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SCSI Host\scsihost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\SCSI Host\scsihost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 116 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 116 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 116 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 116 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 116 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 116 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 116 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 116 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 116 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 116 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 116 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 436 wrote to memory of 400 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 436 wrote to memory of 400 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 436 wrote to memory of 400 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 436 wrote to memory of 1528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 436 wrote to memory of 1528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 436 wrote to memory of 1528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\09a8ee07ff8bcdd18f3bc237f6e19c06_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QYQmEmZh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpACCA.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"{path}"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "SCSI Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB17D.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "SCSI Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB1BD.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 strongodss.ddns.net udp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp
CH 79.134.225.43:58103 tcp

Files

memory/116-0-0x0000000075492000-0x0000000075493000-memory.dmp

memory/116-1-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/116-2-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/116-3-0x0000000075492000-0x0000000075493000-memory.dmp

memory/116-4-0x0000000075490000-0x0000000075A41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpACCA.tmp

MD5 574391be18ecf3124ae0e954e2db1b4f
SHA1 6cecf4c5282a601832e149553933092c85638fb1
SHA256 514a1a00faf6a6911e4b2b62d1c39d33106831c7a2e83821074ef13f448f7b8b
SHA512 a30ee49e327f1f4b0fce34ac499ab36f84f946721e6133d92be06cbdcbb0f7bbf7967ea133d30731929d53cd812c38e8033e47db57b2f8266eb02f90e323111e

memory/436-8-0x0000000000400000-0x000000000043A000-memory.dmp

memory/436-10-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/436-11-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/116-12-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/436-13-0x0000000075490000-0x0000000075A41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB17D.tmp

MD5 40b11ef601fb28f9b2e69d36857bf2ec
SHA1 b6454020ad2ceed193f4792b77001d0bd741b370
SHA256 c51e12d18cc664425f6711d8ae2507068884c7057092cfa11884100e1e9d49e1
SHA512 e3c5bcc714cbfca4b8058ddcddf231dcefa69c15881ce3f8123e59ed45cfb5da052b56e1945dcf8dc7f800d62f9a4eecb82bca69a66a1530787aeffeb15e2bd5

C:\Users\Admin\AppData\Local\Temp\tmpB1BD.tmp

MD5 9a559f229be0944bc3dc813cde333f50
SHA1 0e97c97eea032b499ff060e799581e32beeceb09
SHA256 a63d853679aa655cced3b62a10855c56f9efd9b50770738b408d728008f73330
SHA512 4cbb2f77283500e86ecf79fd2cbd31d10c3af2fcf6c9a557ee0b1edead229dc07d63a5030b60df57458d52ef8c2a42ec199d2d4cdca387400d047df25b593c68

memory/436-21-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/436-22-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/436-23-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/436-24-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/436-25-0x0000000075490000-0x0000000075A41000-memory.dmp