Malware Analysis Report

2025-01-19 07:05

Sample ID 240625-snj1razgnq
Target 0e8b7284c721e2c8b7b7532da050a55a_JaffaCakes118
SHA256 2f5eb4b47c76941b43df6ce404bedcd77f10e4fdfa1cc351d201f24de9589f7b
Tags
ramnit banker defense_evasion evasion persistence spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f5eb4b47c76941b43df6ce404bedcd77f10e4fdfa1cc351d201f24de9589f7b

Threat Level: Known bad

The file 0e8b7284c721e2c8b7b7532da050a55a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker defense_evasion evasion persistence spyware stealer trojan worm

Ramnit

UAC bypass

Modifies WinLogon for persistence

Executes dropped EXE

Drops startup file

Checks BIOS information in registry

Impair Defenses: Safe Mode Boot

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 15:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 15:16

Reported

2024-06-25 15:18

Platform

win7-20240419-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e8b7284c721e2c8b7b7532da050a55a_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\ijuabsdw\\qmjmlvmn.exe" C:\Windows\SysWOW64\svchost.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\svchost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qmjmlvmn.exe C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qmjmlvmn.exe C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iuhhqxotkduhnepx.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Windows\SysWOW64\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Windows\SysWOW64\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Windows\SysWOW64\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\QmjMlvmn = "C:\\Users\\Admin\\AppData\\Local\\ijuabsdw\\qmjmlvmn.exe" C:\Windows\SysWOW64\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iuhhqxotkduhnepx.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iuhhqxotkduhnepx.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\0e8b7284c721e2c8b7b7532da050a55a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\iYju31Jt
PID 3012 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\0e8b7284c721e2c8b7b7532da050a55a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\iYju31Jt
PID 3012 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\0e8b7284c721e2c8b7b7532da050a55a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\iYju31Jt
PID 3012 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\0e8b7284c721e2c8b7b7532da050a55a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\iYju31Jt
PID 1828 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 1828 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Users\Admin\AppData\Local\Temp\iuhhqxotkduhnepx.exe
PID 1828 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Users\Admin\AppData\Local\Temp\iuhhqxotkduhnepx.exe
PID 1828 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Users\Admin\AppData\Local\Temp\iuhhqxotkduhnepx.exe
PID 1828 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Users\Admin\AppData\Local\Temp\iuhhqxotkduhnepx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0e8b7284c721e2c8b7b7532da050a55a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0e8b7284c721e2c8b7b7532da050a55a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\iYju31Jt

"iYju31Jt"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Local\Temp\iuhhqxotkduhnepx.exe

"C:\Users\Admin\AppData\Local\Temp\iuhhqxotkduhnepx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 142.250.179.238:80 google.com tcp
US 8.8.8.8:53 secretmoney2.com udp
US 8.8.8.8:53 htmthgurhtchwlhwklf.com udp
US 8.8.8.8:53 jiwucjyxjibyd.com udp
US 8.8.8.8:53 khddwukkbwhfdiufhaj.com udp
US 8.8.8.8:53 snoknwlgcwgaafbtqkt.com udp
US 8.8.8.8:53 tfgyaoingy.com udp
US 8.8.8.8:53 ukiixagdbdkd.com udp
US 8.8.8.8:53 swbadolov.com udp
US 8.8.8.8:53 ouljuvkvn.com udp
US 8.8.8.8:53 tiqfgpaxvmhsxtk.com udp
US 8.8.8.8:53 cxatodxefolgkokdqy.com udp
US 204.95.99.223:443 snoknwlgcwgaafbtqkt.com tcp
DE 46.165.220.143:443 ukiixagdbdkd.com tcp
DE 195.201.179.207:443 tfgyaoingy.com tcp
IE 34.253.216.9:443 khddwukkbwhfdiufhaj.com tcp
US 162.249.65.200:443 htmthgurhtchwlhwklf.com tcp
US 8.8.8.8:53 ubkfgwqslhqyy.com udp
US 8.8.8.8:53 caytmlnlrou.com udp
US 8.8.8.8:53 qbsqnpyyooh.com udp
IE 34.253.216.9:443 ubkfgwqslhqyy.com tcp
US 8.8.8.8:53 vrguyjjxorlyen.com udp
US 8.8.8.8:53 nvepdnpx.com udp
US 8.8.8.8:53 vwaeloyyutodtr.com udp
US 8.8.8.8:53 gokbwlivwvgqlretxd.com udp
US 8.8.8.8:53 mukevipvxvrq.com udp
US 8.8.8.8:53 empsqyowjuvvsvrwj.com udp
US 8.8.8.8:53 duomyvwabkuappgqxhp.com udp
US 8.8.8.8:53 voohnyqdinl.com udp
US 8.8.8.8:53 ncxphtrpiawmchfylsy.com udp
US 8.8.8.8:53 xwrmquiqjdsxk.com udp
US 8.8.8.8:53 ldiogjdyyxacm.com udp
US 8.8.8.8:53 kuetvxnntsk.com udp
US 8.8.8.8:53 lsawmyxqxvmogvxifm.com udp
US 8.8.8.8:53 ppdbeidwufrb.com udp
US 8.8.8.8:53 tfipmwkcgigiey.com udp
US 8.8.8.8:53 pgahbyurf.com udp
US 8.8.8.8:53 yaesbfejdxs.com udp
US 8.8.8.8:53 yeokcogbbprvybwqn.com udp
US 8.8.8.8:53 pubecchfuxgquhguye.com udp
US 8.8.8.8:53 ocwbuffwnj.com udp
US 8.8.8.8:53 cpugvsnhyrueqcyxnvo.com udp
US 8.8.8.8:53 bxqqsoxw.com udp
US 8.8.8.8:53 gvjkpsip.com udp
US 8.8.8.8:53 garxfslj.com udp
US 8.8.8.8:53 jpeobmbipilmwsc.com udp
US 8.8.8.8:53 mfpgvhnjp.com udp
US 8.8.8.8:53 sjolcaml.com udp
US 8.8.8.8:53 spykqqdavslss.com udp
US 8.8.8.8:53 hcegcnlr.com udp
US 8.8.8.8:53 derdamdyvt.com udp
US 8.8.8.8:53 hnywdakvhxvuoeuap.com udp
US 8.8.8.8:53 fxamvtgx.com udp
US 8.8.8.8:53 rxkcrxbkc.com udp
US 8.8.8.8:53 wavmiijmnswdmbuhcn.com udp
US 8.8.8.8:53 gylgunsiciis.com udp
US 8.8.8.8:53 exvpgubuxrdvhijan.com udp
US 8.8.8.8:53 mvorlnmwfkayjrqfni.com udp
US 8.8.8.8:53 nhvfyugxtgrnk.com udp
US 8.8.8.8:53 ktltiueyc.com udp
US 8.8.8.8:53 ndtdktwnkplaavqsfa.com udp
US 8.8.8.8:53 pvgnfjpvih.com udp
US 8.8.8.8:53 ftmtkcjkomqdw.com udp
US 8.8.8.8:53 shkxklmbrgcqoeh.com udp
US 8.8.8.8:53 daxwkcompfufkvaa.com udp
US 8.8.8.8:53 ttwiysoohhkrhl.com udp
US 8.8.8.8:53 yblmyabknhn.com udp
US 8.8.8.8:53 rbafexvqgsmmnnvfv.com udp
US 8.8.8.8:53 nkootxbt.com udp
US 8.8.8.8:53 anypbvojndegpnm.com udp
DE 46.165.220.143:443 anypbvojndegpnm.com tcp
IE 34.253.216.9:443 nkootxbt.com tcp
US 8.8.8.8:53 apimyackpqd.com udp
US 8.8.8.8:53 jptkockakusewlaqfdt.com udp
US 8.8.8.8:53 kbohjdsc.com udp
US 8.8.8.8:53 qxthcmscxhradd.com udp
US 8.8.8.8:53 ldyyuwwwgw.com udp
US 8.8.8.8:53 eonvwoabjwow.com udp
US 8.8.8.8:53 rrnuptrt.com udp
US 8.8.8.8:53 ksynclhbmctx.com udp
US 8.8.8.8:53 nwakycbynypuhbpkpx.com udp
US 8.8.8.8:53 kabywdoswjvqgdso.com udp
US 8.8.8.8:53 miafnrcwjddy.com udp
US 8.8.8.8:53 lnolxrnhb.com udp
US 8.8.8.8:53 fjegwqbvoae.com udp
US 8.8.8.8:53 ryauwismekfu.com udp
US 8.8.8.8:53 njopiyisfxnxw.com udp
US 8.8.8.8:53 kuftuiyxrlyrbffu.com udp
US 8.8.8.8:53 xjxsswjhxpfekmlcwv.com udp
US 8.8.8.8:53 hrwgpaisqjtadka.com udp
US 8.8.8.8:53 xtjjsdpqjrckayml.com udp
US 8.8.8.8:53 rirbqsrjqsnw.com udp
US 8.8.8.8:53 jmdqxtwclkxellkxgn.com udp
US 8.8.8.8:53 ggplhlwurkffvsfxxdh.com udp
US 8.8.8.8:53 gjkdyorakldhem.com udp
US 8.8.8.8:53 iaoaagmfylemjyq.com udp
US 8.8.8.8:53 gmajhefkqm.com udp
US 8.8.8.8:53 mesctomcqxdvseeesd.com udp
US 8.8.8.8:53 hbjgehxcf.com udp
US 8.8.8.8:53 xhxiowpga.com udp
US 8.8.8.8:53 ypwubsqx.com udp
US 8.8.8.8:53 gadwjccnb.com udp
US 8.8.8.8:53 lecgcbtmbnofr.com udp
US 8.8.8.8:53 wgyndijomue.com udp
US 8.8.8.8:53 riacjyielwbe.com udp
US 8.8.8.8:53 clufudjixpqmyspofp.com udp
US 8.8.8.8:53 otfbjejwjvcno.com udp
US 8.8.8.8:53 takpkwhluhhediie.com udp
US 8.8.8.8:53 ieqpusccgyvca.com udp
US 8.8.8.8:53 pqqvrioftjalqahlo.com udp
US 8.8.8.8:53 omqluoghcqw.com udp
US 8.8.8.8:53 oxlbfdxd.com udp
US 8.8.8.8:53 ciqeutekeaojdxcxu.com udp
US 8.8.8.8:53 udyrxoed.com udp
US 8.8.8.8:53 qfdufqnr.com udp
US 8.8.8.8:53 uuwqjcksfo.com udp
US 8.8.8.8:53 fjaapqjsqreelq.com udp
US 8.8.8.8:53 yywtmnpgo.com udp
US 8.8.8.8:53 owjvhbqartmagudc.com udp
US 8.8.8.8:53 lvhsmwthsn.com udp
US 8.8.8.8:53 xsmhhtctdkvikelygk.com udp
US 8.8.8.8:53 fymctauygyk.com udp
US 8.8.8.8:53 attqfideqdholwyafo.com udp
US 8.8.8.8:53 lhvlyhgojmdtq.com udp
US 8.8.8.8:53 pbpanibyxfajxlr.com udp
US 8.8.8.8:53 wbuvoybqnqsbmhcdcfs.com udp
US 8.8.8.8:53 ijjuircfabvpqh.com udp
US 8.8.8.8:53 mrigtuhohkbsju.com udp
US 8.8.8.8:53 iueenjqheehbvhpkp.com udp
US 8.8.8.8:53 wpahyhff.com udp
US 8.8.8.8:53 hgbstappdn.com udp
US 8.8.8.8:53 nfadxfjmdfvqpj.com udp
US 8.8.8.8:53 lkvcgnfsyhvlugcap.com udp
US 8.8.8.8:53 llhbeoxrxoqk.com udp
US 8.8.8.8:53 jdcfoplrebamtbcqa.com udp
US 8.8.8.8:53 hjxaihieibafwv.com udp
US 8.8.8.8:53 xyttylxriaj.com udp
US 8.8.8.8:53 gpngcqfqrjmfydxckai.com udp
US 8.8.8.8:53 jlormrurxa.com udp
US 8.8.8.8:53 ecguxgqdjcyhggfk.com udp
US 8.8.8.8:53 xsflgqxa.com udp
US 8.8.8.8:53 vqokjkmppvllwxuk.com udp
US 8.8.8.8:53 ybxgengtxtycjemmqng.com udp
US 8.8.8.8:53 mshvgpvvs.com udp
US 8.8.8.8:53 tuddhpqmbadaaht.com udp
US 8.8.8.8:53 uxxykffflohlhskeyi.com udp
US 8.8.8.8:53 iibdbafng.com udp
US 8.8.8.8:53 xfjiribvjqd.com udp
US 8.8.8.8:53 mmxqkwglxtdtor.com udp
US 8.8.8.8:53 nvsgajhivvn.com udp
US 8.8.8.8:53 prqerbwwjvw.com udp
US 8.8.8.8:53 xorutrhmdjwmfcpgsvq.com udp
US 8.8.8.8:53 gnmbqnxvumfclqyug.com udp
US 8.8.8.8:53 yktervxj.com udp
US 8.8.8.8:53 iblgthye.com udp
US 8.8.8.8:53 bfbbvadypijthjh.com udp
US 8.8.8.8:53 hhtxwgap.com udp
US 8.8.8.8:53 ptxfoqfjjxhdnekeh.com udp
US 8.8.8.8:53 fmwuiydsiqsporrgw.com udp
US 8.8.8.8:53 faexhycctgxdl.com udp
US 8.8.8.8:53 cdorpnmmafnomwyeny.com udp
US 8.8.8.8:53 eehckdyaxxjqhdo.com udp
US 8.8.8.8:53 rxatjyykg.com udp
US 8.8.8.8:53 yrluloqkxujrvv.com udp
US 8.8.8.8:53 ltqgnbgqukixovfdaoi.com udp
US 8.8.8.8:53 mmdchhrh.com udp
US 8.8.8.8:53 vqurlimfhvxttpjr.com udp
US 8.8.8.8:53 buoprdhrhaighfcfl.com udp
US 8.8.8.8:53 lvmmllrmkpdll.com udp
US 8.8.8.8:53 cbscmebdlyfkdeeasmu.com udp
US 8.8.8.8:53 xqelqiidxspuqvi.com udp
US 8.8.8.8:53 nucpjoumgxmhndsob.com udp
US 8.8.8.8:53 osajklwmmhjp.com udp
US 8.8.8.8:53 qdonhyqsieseoqlm.com udp
US 8.8.8.8:53 nulthurgrjvwqokbic.com udp
US 8.8.8.8:53 gaohkehqjs.com udp
US 8.8.8.8:53 sohwjlifxvlmfguite.com udp
US 8.8.8.8:53 lrpvmktouq.com udp
US 8.8.8.8:53 hpswpjjmvccxmimedi.com udp
US 8.8.8.8:53 ecuamsraikwrwki.com udp
US 8.8.8.8:53 kyonhkyryembre.com udp
US 8.8.8.8:53 vcxkjqaswogrbmqgfyf.com udp
US 8.8.8.8:53 ksewxcnjo.com udp
US 8.8.8.8:53 xllnolng.com udp
US 8.8.8.8:53 treayxvaoaqol.com udp
US 8.8.8.8:53 uoqdcxvy.com udp
US 8.8.8.8:53 xjhhggbuufmlirsmgjx.com udp
US 8.8.8.8:53 dsooagtnljlwfpmewvm.com udp
US 8.8.8.8:53 cwnwhjtgqtt.com udp
US 8.8.8.8:53 dcdtpewhb.com udp
US 8.8.8.8:53 havonolwc.com udp
IE 34.253.216.9:443 havonolwc.com tcp
US 8.8.8.8:53 yvywhtknppwkfcfvyhj.com udp
US 8.8.8.8:53 eijabgcrvhynghfx.com udp
US 8.8.8.8:53 vomdkymumbypgiqba.com udp
US 8.8.8.8:53 gggyexvskphnets.com udp
US 8.8.8.8:53 ivjbicjj.com udp
US 8.8.8.8:53 qqtxsbps.com udp
US 8.8.8.8:53 ljxvlmvyyqjch.com udp
US 8.8.8.8:53 uqmgwttutorxwgums.com udp
US 8.8.8.8:53 kfucikjlowsaypemxe.com udp
US 8.8.8.8:53 dtqmfjuwgawuoswof.com udp
US 8.8.8.8:53 hvjunwdwyoypxkk.com udp
US 8.8.8.8:53 uhguoyhafk.com udp
US 8.8.8.8:53 nyigwkvffift.com udp
US 8.8.8.8:53 gllurecirqjdybfy.com udp
US 8.8.8.8:53 oqrmgtfyglxye.com udp
US 8.8.8.8:53 jkocxjytlxvytl.com udp
GB 142.250.179.238:80 google.com tcp
GB 142.250.179.238:80 google.com tcp

Files

memory/3012-0-0x0000000000400000-0x000000000043A000-memory.dmp

\Users\Admin\AppData\Local\Temp\iYju31Jt

MD5 7fc51f7f09344a3dbeb28e14c35ce39d
SHA1 c8a9082351f5edcd3012d5379caa33e0804e954f
SHA256 91eceecf4fdcaff36652a1a3a5d25ee37fff70796e71438c60446a2ea72c0a78
SHA512 b40a5743a212038161065af0dbfd0aa7b386b9bd8ae080e621459465e6f6dd888cb9ee35b4f152e5f6931446ad3f1696f6b98b9494903d02ab86493939cae508

memory/3012-4-0x0000000000230000-0x000000000026B000-memory.dmp

memory/1828-11-0x0000000000400000-0x000000000043A04C-memory.dmp

memory/3012-10-0x0000000000230000-0x000000000026B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hpqrrx08.log

MD5 df935239192bec980b6fbb98682f6631
SHA1 fa6ea0426af07b0cbf0c2d8a463b9a4105018b6d
SHA256 857374d5f1dd76ff9581f83892dee7c85b0e0d266184559d81d1363de3ea05ca
SHA512 ccc0dae5f69ba619ee7f01738a4c2984ea68da3083ec921b9482b02b4639282ebac41b22831e34c0d15aa1b07aae1790f67fa610f76c7bbaee36f3e17229b84b

memory/2832-36-0x0000000000050000-0x0000000000051000-memory.dmp

memory/2832-34-0x0000000020010000-0x000000002001C000-memory.dmp

memory/3012-40-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2832-48-0x0000000020010000-0x000000002001C000-memory.dmp

memory/2500-54-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2832-50-0x0000000020010000-0x000000002001C000-memory.dmp

memory/2832-49-0x0000000020010000-0x000000002001C000-memory.dmp

memory/2832-45-0x0000000000070000-0x0000000000071000-memory.dmp

memory/1828-81-0x0000000076F90000-0x0000000076F91000-memory.dmp

memory/2500-78-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2500-72-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2500-74-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2500-71-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2500-62-0x0000000020010000-0x000000002002C000-memory.dmp

memory/1828-61-0x0000000076F8F000-0x0000000076F90000-memory.dmp

memory/1828-60-0x0000000076F90000-0x0000000076F91000-memory.dmp

memory/2832-47-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2832-46-0x0000000000050000-0x0000000000051000-memory.dmp

memory/2832-41-0x0000000020010000-0x000000002001C000-memory.dmp

memory/1828-32-0x0000000000400000-0x000000000043A04C-memory.dmp

memory/1828-31-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1828-30-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1828-28-0x0000000000400000-0x000000000043A04C-memory.dmp

memory/1828-27-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2500-82-0x0000000020010000-0x000000002002C000-memory.dmp

memory/1828-100-0x0000000002B70000-0x0000000002BAB000-memory.dmp

memory/1828-99-0x0000000002B70000-0x0000000002BAB000-memory.dmp

memory/1828-108-0x0000000002B70000-0x0000000002BAB000-memory.dmp

memory/1828-107-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1828-110-0x0000000000400000-0x000000000043A04C-memory.dmp

memory/2388-115-0x0000000000400000-0x000000000043A04C-memory.dmp

memory/2500-116-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2500-117-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2500-118-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2500-119-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2500-120-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2500-122-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2500-123-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2500-124-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2500-125-0x0000000020010000-0x000000002002C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 15:16

Reported

2024-06-25 15:18

Platform

win10v2004-20240611-en

Max time kernel

140s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e8b7284c721e2c8b7b7532da050a55a_JaffaCakes118.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iYju31Jt N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uscdqqewrswanjwq.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115026" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3093985826" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115026" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115026" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426093562" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115026" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115026" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3092266624" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3292423200" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3092266624" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3093985826" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E3EDD996-3305-11EF-8383-5AE3054E25D0} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\uscdqqewrswanjwq.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\uscdqqewrswanjwq.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5000 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\0e8b7284c721e2c8b7b7532da050a55a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\iYju31Jt
PID 5000 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\0e8b7284c721e2c8b7b7532da050a55a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\iYju31Jt
PID 5000 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\0e8b7284c721e2c8b7b7532da050a55a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\iYju31Jt
PID 432 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 432 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 432 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 432 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 432 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 432 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 432 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 432 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 432 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 432 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 432 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 432 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4644 wrote to memory of 4572 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4644 wrote to memory of 4572 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4572 wrote to memory of 2524 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4572 wrote to memory of 2524 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4572 wrote to memory of 2524 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 432 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 432 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 432 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 432 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 432 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 432 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 432 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 432 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 432 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Windows\SysWOW64\svchost.exe
PID 432 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 432 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 432 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1980 wrote to memory of 1456 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1980 wrote to memory of 1456 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4572 wrote to memory of 3880 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4572 wrote to memory of 3880 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4572 wrote to memory of 3880 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 432 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Users\Admin\AppData\Local\Temp\uscdqqewrswanjwq.exe
PID 432 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Users\Admin\AppData\Local\Temp\uscdqqewrswanjwq.exe
PID 432 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\iYju31Jt C:\Users\Admin\AppData\Local\Temp\uscdqqewrswanjwq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0e8b7284c721e2c8b7b7532da050a55a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0e8b7284c721e2c8b7b7532da050a55a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\iYju31Jt

"iYju31Jt"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 816 -ip 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 204

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4572 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3356 -ip 3356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 204

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4572 CREDAT:17416 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\uscdqqewrswanjwq.exe

"C:\Users\Admin\AppData\Local\Temp\uscdqqewrswanjwq.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/5000-0-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iYju31Jt

MD5 7fc51f7f09344a3dbeb28e14c35ce39d
SHA1 c8a9082351f5edcd3012d5379caa33e0804e954f
SHA256 91eceecf4fdcaff36652a1a3a5d25ee37fff70796e71438c60446a2ea72c0a78
SHA512 b40a5743a212038161065af0dbfd0aa7b386b9bd8ae080e621459465e6f6dd888cb9ee35b4f152e5f6931446ad3f1696f6b98b9494903d02ab86493939cae508

memory/432-6-0x0000000000400000-0x000000000043B000-memory.dmp

memory/432-5-0x0000000000400000-0x000000000043A04C-memory.dmp

memory/432-7-0x0000000000400000-0x000000000043A04C-memory.dmp

memory/432-10-0x0000000000500000-0x0000000000501000-memory.dmp

memory/432-9-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/816-14-0x0000000000390000-0x0000000000391000-memory.dmp

memory/816-13-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/432-12-0x0000000000400000-0x000000000043A04C-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hpqrrx08.log

MD5 df935239192bec980b6fbb98682f6631
SHA1 fa6ea0426af07b0cbf0c2d8a463b9a4105018b6d
SHA256 857374d5f1dd76ff9581f83892dee7c85b0e0d266184559d81d1363de3ea05ca
SHA512 ccc0dae5f69ba619ee7f01738a4c2984ea68da3083ec921b9482b02b4639282ebac41b22831e34c0d15aa1b07aae1790f67fa610f76c7bbaee36f3e17229b84b

memory/5000-29-0x0000000000400000-0x000000000043A000-memory.dmp

memory/432-31-0x0000000000400000-0x000000000043B000-memory.dmp

memory/432-36-0x0000000076F92000-0x0000000076F93000-memory.dmp

memory/432-35-0x0000000000400000-0x000000000043A04C-memory.dmp

memory/432-39-0x0000000076F92000-0x0000000076F93000-memory.dmp

memory/432-38-0x0000000000400000-0x000000000043A04C-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD90A.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

memory/432-56-0x0000000000400000-0x000000000043B000-memory.dmp

memory/896-57-0x0000000000400000-0x000000000043B000-memory.dmp

memory/896-58-0x0000000000400000-0x000000000043A04C-memory.dmp

memory/896-63-0x0000000000400000-0x000000000043B000-memory.dmp

memory/896-61-0x0000000000400000-0x000000000043A04C-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\REQ5K173\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee