Malware Analysis Report

2024-11-16 13:12

Sample ID 240625-rzsllayeln
Target 0e7198087bc46e383c3d350fa32551a3_JaffaCakes118
SHA256 4d905105ba83a74ba2d5142f0fa98f785724ca147a7104bedb9d4ed99d5d2077
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d905105ba83a74ba2d5142f0fa98f785724ca147a7104bedb9d4ed99d5d2077

Threat Level: Known bad

The file 0e7198087bc46e383c3d350fa32551a3_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

UAC bypass

UPX packed file

Checks whether UAC is enabled

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 14:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 14:38

Reported

2024-06-25 14:40

Platform

win7-20240221-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 328

Network

N/A

Files

memory/1812-0-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1812-1-0x00000000001D0000-0x0000000000202000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 14:38

Reported

2024-06-25 14:40

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4520 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe
PID 4520 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe
PID 4520 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe
PID 4520 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4520 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4520 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 4520 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 4520 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4520 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 4520 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4520 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4520 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 4520 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4520 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4520 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4520 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4520 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4520 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4520 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4520 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4520 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe
PID 4520 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe -deleter

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4520-0-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4520-11-0x0000000003380000-0x0000000003381000-memory.dmp

memory/4520-10-0x0000000000880000-0x0000000000882000-memory.dmp

memory/4520-1-0x0000000002250000-0x0000000003280000-memory.dmp

memory/2632-13-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/4520-8-0x0000000002250000-0x0000000003280000-memory.dmp

memory/4520-16-0x0000000002250000-0x0000000003280000-memory.dmp

memory/2632-22-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/2632-21-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/4520-19-0x0000000000880000-0x0000000000882000-memory.dmp

memory/4520-17-0x0000000000880000-0x0000000000882000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0E5735F4_Rar\0e7198087bc46e383c3d350fa32551a3_JaffaCakes118.exe

MD5 35cc2cf26b2dff62c7af286b9de40392
SHA1 550ccbf2d4cce915ca4bbf141bd13e3bea0a9efb
SHA256 ede31e4fb303a9eb7b1f202a09ece8738a2902cd2f2fe73455fcd4852c962061
SHA512 73ffc756ded37b34d713beb072a13a7c18ba52c0ea513389f943615a8dee773f20f62cc733e74fc4c79a08034f021c07b54965f65167974be8d4425bc5b3fd05

C:\Users\Admin\AppData\Local\Temp\ISPackFiles.ini

MD5 3bc90ad0c754d0b519b0c0bb63b3d9cb
SHA1 998f7c8140db71a74459dbf85aabdf1645e386e5
SHA256 c008bd9a56d54b4ff96dcd30bc258fc2bfbd8929c218bbfc69a0578272743d82
SHA512 a6afe74f40415f7cd8ee6ba5a7ba14e87eda7828dd26aae9cfcf1f22945082eaeca66ee77a2ea364f05aaf385162a95fdd8ac5deb753d5052ecc536cfcfc17c0

memory/4520-1211-0x0000000002250000-0x0000000003280000-memory.dmp

memory/4520-2923-0x0000000002250000-0x0000000003280000-memory.dmp

memory/2632-9777-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/2632-9780-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4520-9788-0x0000000000880000-0x0000000000882000-memory.dmp

memory/4520-9797-0x0000000000400000-0x0000000000432000-memory.dmp