Malware Analysis Report

2025-03-15 00:50

Sample ID 240626-wedn6avfra
Target 12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118
SHA256 08ee8a89c78013621b08fae8fd83765eab5fdcc1342cb5958ac10b1545688392
Tags
defense_evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

08ee8a89c78013621b08fae8fd83765eab5fdcc1342cb5958ac10b1545688392

Threat Level: Likely malicious

The file 12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion persistence

Drops file in Drivers directory

Event Triggered Execution: Image File Execution Options Injection

Checks computer location settings

Impair Defenses: Safe Mode Boot

Loads dropped DLL

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Runs net.exe

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 17:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 17:49

Reported

2024-06-26 17:52

Platform

win7-20240419-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\Beep.sys C:\Program Files\bnsk3.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegTool.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrvAnti.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessSafe.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\POWER C:\Program Files\bnsk3.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PROFSVC C:\Program Files\bnsk3.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WINDEFEND C:\Program Files\bnsk3.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\bnsk3.exe C:\Users\Admin\AppData\Local\Temp\wmnet.exe N/A
File created C:\Program Files\Vodstup3.exe C:\Users\Admin\AppData\Local\Temp\wmnet.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\bnsk3.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\bnsk3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1968 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2564 wrote to memory of 2660 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2564 wrote to memory of 2660 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2564 wrote to memory of 2660 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2564 wrote to memory of 2660 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2752 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2752 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2752 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2752 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1144 wrote to memory of 2832 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1144 wrote to memory of 2832 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1144 wrote to memory of 2832 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1144 wrote to memory of 2832 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2656 wrote to memory of 2632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2656 wrote to memory of 2632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2656 wrote to memory of 2632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2656 wrote to memory of 2632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2676 wrote to memory of 2724 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2676 wrote to memory of 2724 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2676 wrote to memory of 2724 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2676 wrote to memory of 2724 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2672 wrote to memory of 2728 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2672 wrote to memory of 2728 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2672 wrote to memory of 2728 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2672 wrote to memory of 2728 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1968 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wmnet.exe
PID 1968 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wmnet.exe
PID 1968 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wmnet.exe
PID 1968 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wmnet.exe
PID 2496 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\wmnet.exe C:\Program Files\bnsk3.exe
PID 2496 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\wmnet.exe C:\Program Files\bnsk3.exe
PID 2496 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\wmnet.exe C:\Program Files\bnsk3.exe
PID 2496 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\wmnet.exe C:\Program Files\bnsk3.exe
PID 2496 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\wmnet.exe C:\Program Files\Vodstup3.exe
PID 2496 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\wmnet.exe C:\Program Files\Vodstup3.exe
PID 2496 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\wmnet.exe C:\Program Files\Vodstup3.exe
PID 2496 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\wmnet.exe C:\Program Files\Vodstup3.exe
PID 2496 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\wmnet.exe C:\Program Files\Vodstup3.exe
PID 2496 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\wmnet.exe C:\Program Files\Vodstup3.exe
PID 2496 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\wmnet.exe C:\Program Files\Vodstup3.exe
PID 2488 wrote to memory of 1088 N/A C:\Program Files\bnsk3.exe C:\Windows\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe"

C:\Windows\SysWOW64\net.exe

net stop "Security Center"

C:\Windows\SysWOW64\net.exe

net stop "Windows Firewall/Internet Connection Sharing (ICS)"

C:\Windows\SysWOW64\net.exe

net stop System Restore Service

C:\Windows\SysWOW64\net.exe

net stop "Security Center"

C:\Windows\SysWOW64\net.exe

net stop "Windows Firewall/Internet Connection Sharing (ICS)"

C:\Windows\SysWOW64\net.exe

net stop System Restore Service

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop System Restore Service

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Security Center"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Security Center"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop System Restore Service

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"

C:\Users\Admin\AppData\Local\Temp\wmnet.exe

C:\Users\Admin\AppData\Local\Temp\wmnet.exe

C:\Program Files\bnsk3.exe

"C:\Program Files\bnsk3.exe"

C:\Program Files\Vodstup3.exe

"C:\Program Files\Vodstup3.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.1

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.3

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.4

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.5

Network

Country Destination Domain Proto
US 8.8.8.8:53 ut.njsk2.cn udp

Files

memory/1968-0-0x0000000010000000-0x00000000101D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\wmnet.exe

MD5 777cd8cf92c578b41e631603faeff99b
SHA1 c8d2b6d02711095df3baaf3cb575ad0c776bc29b
SHA256 43781fd2d7aa7f88da5bcc6259825e91040ff520e61d6b9bbc36ce4e0851147c
SHA512 006b035181dc46186e6c7658e37f0f912f1e921d6e7e6354bc3481fcaf53fe2d5fd20bb182754f3f3cece16184ee4e2ab915497f3c8785ef7b5727c6faae51e2

memory/1968-8-0x0000000001DE0000-0x0000000001FA5000-memory.dmp

memory/1968-11-0x0000000001DE0000-0x0000000001FA5000-memory.dmp

memory/2496-12-0x0000000000400000-0x00000000005C4B10-memory.dmp

\Program Files\bnsk3.exe

MD5 396ca637411fc5ed58dd7e2f7c935c56
SHA1 628d16624b8a2bc897a8d53f71ced4d499d54773
SHA256 06ae50c9bf25303326b169bc78d7de383ee8e9688eedf12bdb832e03d587869c
SHA512 2e26fef6f6721ae6ef2d9d421faeffe740e1510e03f7853f62b27679213dd0cc5b54398507f26a48cce2e0c40ea9740965cc928d5176d092c0adc20ff4ce068e

\Program Files\Vodstup3.exe

MD5 cfda9c8171425aa7b205244d58bb7340
SHA1 a965c3621c7d22c341d14eb70268f4ab414dcda8
SHA256 61ed11474d4a545764c81edc0a606c95534de929703f702010e680742f347ad1
SHA512 f07a838d4662c718a7315d67bad37da3d938340e5f2de790c18375bba3c7ba51e99287d26b25591e19eb61d898a4aa72fc3426ebebf5afe05d0366c2d3bd0095

memory/2496-42-0x0000000000400000-0x00000000005C4B10-memory.dmp

\Users\Admin\AppData\Local\Temp\nst2187.tmp\LangDLL.dll

MD5 8c909780802ac2097ea4132e6375acd2
SHA1 b35fbda0725d7c66281d5c340b53eb5d54922583
SHA256 c66b568cd675806a499273e3e8aeda350425aac17fc24342ed54e477417cdc0f
SHA512 e94a37c586e55de8b61b427c14a385dcc57f3602d3dace90ad4663609da14a922cb78f76a58ed211549e987ba6f130cf2581eb48bcad2c9c25c6dc93a7ff6d08

C:\Users\Admin\AppData\Local\Temp\nst2187.tmp\ioSpecial.ini

MD5 ec6b2aef5738fc79da56157faffb86ea
SHA1 2381d92e78b3890581da798ed13688d25e78a511
SHA256 84c2ea1af7d35a1857458f4c07e216185e0f149e1c51520928922084479afbea
SHA512 0842ee98427c43c148c7fb326175f522420d12e563faa1b5fe2abf3b75ddb2d020036e9ca4923e01e81db966186c57c4b34583c2674b3b15e0bc56c7f0a6db46

\Users\Admin\AppData\Local\Temp\nst2187.tmp\InstallOptions.dll

MD5 3809b1424d53ccb427c88cabab8b5f94
SHA1 bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e
SHA256 426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088
SHA512 626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee

\Users\Admin\AppData\Local\Temp\urlm0n.dll

MD5 2ee1e467d73642afddb03019f58c252b
SHA1 ea1f3b03f46db029a955190692cecbc571e1d46c
SHA256 5a7d5dafe22082b3ed035d640578ed7b5005edfe80e5c911774ec77a2caff1b3
SHA512 3482715d7c9adbfe61f7834120d1a8fce47ae5d70add285ddcfe8802a5d4a95ae00ae82079b9b9639c5d4fa5126ecfc61e1b09a141c0fea86926e26fc22f9082

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 cb9bdfde8f15d9af1353940632936d09
SHA1 67e27f1b550813f5ac08ad7ba53a0f1731b3bbb5
SHA256 debdbd31ce2269b2c61b42992fb8d90fee649e5e4c7c591da6a5d014f7290713
SHA512 741d50a93ee9307da18e09a822277db8a536afdce9cf15dbfbb2ff01ff5fe6540102f85e2c1ca6efd6bdcd10e48cbc63341c88710599d932201941c7b2c15c38

memory/1968-149-0x0000000010000000-0x00000000101D8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 17:49

Reported

2024-06-26 17:52

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\Beep.sys C:\Program Files\bnsk3.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegTool.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessSafe.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RawCopy.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RawCopy.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe C:\Program Files\bnsk3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe\Debugger = "ntsd -d" C:\Program Files\bnsk3.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wmnet.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\CBDHSVC C:\Program Files\bnsk3.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\IAI2C.SYS C:\Program Files\bnsk3.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\POWER C:\Program Files\bnsk3.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\PROFSVC C:\Program Files\bnsk3.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\SERCX2.SYS C:\Program Files\bnsk3.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\USERMANAGER C:\Program Files\bnsk3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\Vodstup3.exe N/A
N/A N/A C:\Program Files\Vodstup3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Vodstup3.exe C:\Users\Admin\AppData\Local\Temp\wmnet.exe N/A
File created C:\Program Files\bnsk3.exe C:\Users\Admin\AppData\Local\Temp\wmnet.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\wmnet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A
N/A N/A C:\Program Files\bnsk3.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\bnsk3.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\bnsk3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4532 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4532 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4532 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4532 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4532 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4532 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4532 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4532 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4532 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4532 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4532 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4532 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4532 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4532 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4532 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4532 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4532 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4532 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4300 wrote to memory of 3784 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4300 wrote to memory of 3784 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4300 wrote to memory of 3784 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1488 wrote to memory of 4152 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1488 wrote to memory of 4152 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1488 wrote to memory of 4152 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3584 wrote to memory of 224 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3584 wrote to memory of 224 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3584 wrote to memory of 224 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2248 wrote to memory of 4456 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2248 wrote to memory of 4456 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2248 wrote to memory of 4456 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3324 wrote to memory of 4944 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3324 wrote to memory of 4944 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3324 wrote to memory of 4944 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2312 wrote to memory of 4948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2312 wrote to memory of 4948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2312 wrote to memory of 4948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4532 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wmnet.exe
PID 4532 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wmnet.exe
PID 4532 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wmnet.exe
PID 1984 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\wmnet.exe C:\Program Files\bnsk3.exe
PID 1984 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\wmnet.exe C:\Program Files\bnsk3.exe
PID 1984 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\wmnet.exe C:\Program Files\bnsk3.exe
PID 1984 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\wmnet.exe C:\Program Files\Vodstup3.exe
PID 1984 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\wmnet.exe C:\Program Files\Vodstup3.exe
PID 1984 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\wmnet.exe C:\Program Files\Vodstup3.exe
PID 3536 wrote to memory of 2668 N/A C:\Program Files\bnsk3.exe C:\Windows\explorer.exe
PID 3536 wrote to memory of 2668 N/A C:\Program Files\bnsk3.exe C:\Windows\explorer.exe
PID 3536 wrote to memory of 4288 N/A C:\Program Files\bnsk3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3536 wrote to memory of 4288 N/A C:\Program Files\bnsk3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3536 wrote to memory of 4288 N/A C:\Program Files\bnsk3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3536 wrote to memory of 3948 N/A C:\Program Files\bnsk3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3536 wrote to memory of 3948 N/A C:\Program Files\bnsk3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3536 wrote to memory of 3948 N/A C:\Program Files\bnsk3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3536 wrote to memory of 4428 N/A C:\Program Files\bnsk3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3536 wrote to memory of 4428 N/A C:\Program Files\bnsk3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3536 wrote to memory of 4428 N/A C:\Program Files\bnsk3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3536 wrote to memory of 3188 N/A C:\Program Files\bnsk3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3536 wrote to memory of 3188 N/A C:\Program Files\bnsk3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3536 wrote to memory of 3188 N/A C:\Program Files\bnsk3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3536 wrote to memory of 1500 N/A C:\Program Files\bnsk3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3536 wrote to memory of 1500 N/A C:\Program Files\bnsk3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3536 wrote to memory of 1500 N/A C:\Program Files\bnsk3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe"

C:\Windows\SysWOW64\net.exe

net stop "Security Center"

C:\Windows\SysWOW64\net.exe

net stop "Windows Firewall/Internet Connection Sharing (ICS)"

C:\Windows\SysWOW64\net.exe

net stop System Restore Service

C:\Windows\SysWOW64\net.exe

net stop "Security Center"

C:\Windows\SysWOW64\net.exe

net stop "Windows Firewall/Internet Connection Sharing (ICS)"

C:\Windows\SysWOW64\net.exe

net stop System Restore Service

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Security Center"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop System Restore Service

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Security Center"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop System Restore Service

C:\Users\Admin\AppData\Local\Temp\wmnet.exe

C:\Users\Admin\AppData\Local\Temp\wmnet.exe

C:\Program Files\bnsk3.exe

"C:\Program Files\bnsk3.exe"

C:\Program Files\Vodstup3.exe

"C:\Program Files\Vodstup3.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.1

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.3

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.4

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.5

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 ut.njsk2.cn udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 10.127.0.1:445 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 2.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 ut.njsk2.cn udp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 3.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 4.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 ut.njsk2.cn udp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 5.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 ut.njsk2.cn udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/4532-0-0x0000000010000000-0x00000000101D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wmnet.exe

MD5 777cd8cf92c578b41e631603faeff99b
SHA1 c8d2b6d02711095df3baaf3cb575ad0c776bc29b
SHA256 43781fd2d7aa7f88da5bcc6259825e91040ff520e61d6b9bbc36ce4e0851147c
SHA512 006b035181dc46186e6c7658e37f0f912f1e921d6e7e6354bc3481fcaf53fe2d5fd20bb182754f3f3cece16184ee4e2ab915497f3c8785ef7b5727c6faae51e2

memory/1984-6-0x0000000000400000-0x00000000005C4B10-memory.dmp

C:\Program Files\bnsk3.exe

MD5 396ca637411fc5ed58dd7e2f7c935c56
SHA1 628d16624b8a2bc897a8d53f71ced4d499d54773
SHA256 06ae50c9bf25303326b169bc78d7de383ee8e9688eedf12bdb832e03d587869c
SHA512 2e26fef6f6721ae6ef2d9d421faeffe740e1510e03f7853f62b27679213dd0cc5b54398507f26a48cce2e0c40ea9740965cc928d5176d092c0adc20ff4ce068e

C:\Program Files\Vodstup3.exe

MD5 cfda9c8171425aa7b205244d58bb7340
SHA1 a965c3621c7d22c341d14eb70268f4ab414dcda8
SHA256 61ed11474d4a545764c81edc0a606c95534de929703f702010e680742f347ad1
SHA512 f07a838d4662c718a7315d67bad37da3d938340e5f2de790c18375bba3c7ba51e99287d26b25591e19eb61d898a4aa72fc3426ebebf5afe05d0366c2d3bd0095

memory/1984-72-0x0000000000400000-0x00000000005C4B10-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsp3971.tmp\LangDLL.dll

MD5 8c909780802ac2097ea4132e6375acd2
SHA1 b35fbda0725d7c66281d5c340b53eb5d54922583
SHA256 c66b568cd675806a499273e3e8aeda350425aac17fc24342ed54e477417cdc0f
SHA512 e94a37c586e55de8b61b427c14a385dcc57f3602d3dace90ad4663609da14a922cb78f76a58ed211549e987ba6f130cf2581eb48bcad2c9c25c6dc93a7ff6d08

C:\Users\Admin\AppData\Local\Temp\nsp3971.tmp\ioSpecial.ini

MD5 8071dfaabbec0af00f85d2b5bf1f62f0
SHA1 a6e1e99e87dd492043194fb33686d0f5dd43f7fb
SHA256 ee140278c3c3700d8c7ab528f8c0c2443b71aaf354b9d00c0b38a9a0840dd580
SHA512 d2237c27bd16405fb4096a86dad64e6c550d0dee843971c5fe49ebac89fa8a16ab032adf5ad27081fbca20bc034474f6053e05eb93ff5a9221908ff2962324a1

C:\Users\Admin\AppData\Local\Temp\nsp3971.tmp\InstallOptions.dll

MD5 3809b1424d53ccb427c88cabab8b5f94
SHA1 bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e
SHA256 426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088
SHA512 626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee

C:\Users\Admin\AppData\Local\Temp\urlm0n.dll

MD5 e0e12856ca90be7f5ab8dfc0f0313078
SHA1 cc5accf48b8e6c2fd39d1f800229cdbb54305518
SHA256 81ec3e3c98e5f0af0dca21b9f08f2be445b46df2ca2354eaf3523bddcb125619
SHA512 162c56367dca2291117f2391951970273969518b0db2bbc5d51c458173a8028c88d9dfd93aef01ed05b369f953e2953cc6be252daeb17556dbc33e5383900fa6

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 cb9bdfde8f15d9af1353940632936d09
SHA1 67e27f1b550813f5ac08ad7ba53a0f1731b3bbb5
SHA256 debdbd31ce2269b2c61b42992fb8d90fee649e5e4c7c591da6a5d014f7290713
SHA512 741d50a93ee9307da18e09a822277db8a536afdce9cf15dbfbb2ff01ff5fe6540102f85e2c1ca6efd6bdcd10e48cbc63341c88710599d932201941c7b2c15c38

memory/4532-173-0x0000000010000000-0x00000000101D8000-memory.dmp

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e