e4b86d227541a265c17f2136a44a5f479c21ad50022c848e716e0a9b0549c65f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 08:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1a92f71fb9af742904e1bcaf544f11a4_JaffaCakes118.exe
Size

324KB
MD5

1a92f71fb9af742904e1bcaf544f11a4
SHA1

62537b01cee786bdc6e257a32526a3b6ac7016da
SHA256

e4b86d227541a265c17f2136a44a5f479c21ad50022c848e716e0a9b0549c65f
SHA512

15f198737b9fb226c8fd0d4a8ea698c3f677508c602c8402cf280e7de1fd5ebee79a5e96f4641c7446e21214d444660014b1d16a3228d310e6825119f6b83137
SSDEEP

6144:dibGziIAVS75KqmzlNhWza6cmdJ6XRB8T5MJ8b6NHBRCV:diwIS75KqmzL6cmdJ6X78TuJ8byCV

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000015f9e-22.dat	acprotect
behavioral1/files/0x00070000000160f8-45.dat	acprotect

Executes dropped EXE 6 IoCs

pid	Process
2912	1.exe
2464	vmss32.exe
2456	vmss32.exe
2900	vmss32.exe
2684	Remote-Controller.com
2908	Remote-Controller.com

Loads dropped DLL 21 IoCs

pid	Process
2196	1a92f71fb9af742904e1bcaf544f11a4_JaffaCakes118.exe
2196	1a92f71fb9af742904e1bcaf544f11a4_JaffaCakes118.exe
2196	1a92f71fb9af742904e1bcaf544f11a4_JaffaCakes118.exe
2912	1.exe
2292	regsvr32.exe
2912	1.exe
2912	1.exe
2912	1.exe
2464	vmss32.exe
2464	vmss32.exe
2464	vmss32.exe
2456	vmss32.exe
2456	vmss32.exe
2456	vmss32.exe
2900	vmss32.exe
2900	vmss32.exe
2900	vmss32.exe
2684	Remote-Controller.com
2684	Remote-Controller.com
2684	Remote-Controller.com
2908	Remote-Controller.com

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015f9e-22.dat	upx
behavioral1/memory/2912-24-0x0000000010000000-0x0000000010014000-memory.dmp	upx

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	vmss32.exe
File created	C:\Windows\SysWOW64\vmss32.exe	vmss32.exe
File opened for modification	C:\Windows\SysWOW64\Remote-Controller.com	vmss32.exe
File opened for modification	C:\Windows\SysWOW64\jpg.dll	Remote-Controller.com
File opened for modification	C:\Windows\SysWOW64\win.com	Remote-Controller.com
File created	C:\Windows\SysWOW64\vmss32.exe	Remote-Controller.com
File opened for modification	C:\Windows\SysWOW64\zlib.dll	1.exe
File opened for modification	C:\Windows\SysWOW64\jpg.dll	1.exe
File opened for modification	C:\Windows\SysWOW64\zlib.dll	vmss32.exe
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	vmss32.exe
File opened for modification	C:\Windows\SysWOW64\win.com	vmss32.exe
File opened for modification	C:\Windows\SysWOW64\zlib.dll	vmss32.exe
File opened for modification	C:\Windows\SysWOW64\vmss32.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\win.com	1.exe
File opened for modification	C:\Windows\SysWOW64\zlib.dll	Remote-Controller.com
File opened for modification	C:\Windows\SysWOW64\win.com	Remote-Controller.com
File opened for modification	C:\Windows\SysWOW64\jpg.dll	vmss32.exe
File opened for modification	C:\Windows\SysWOW64\jpg.dll	vmss32.exe
File opened for modification	C:\Windows\SysWOW64\win.com	vmss32.exe
File opened for modification	C:\Windows\SysWOW64\vmss32.exe	Remote-Controller.com
File created	C:\Windows\SysWOW64\Remote-Controller.com	Remote-Controller.com
File opened for modification	C:\Windows\SysWOW64\Remote-Controller.com	Remote-Controller.com
File opened for modification	C:\Windows\SysWOW64\zlib.dll	vmss32.exe
File created	C:\Windows\SysWOW64\vmss32.exe	vmss32.exe
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	vmss32.exe
File created	C:\Windows\SysWOW64\Remote-Controller.com	vmss32.exe
File opened for modification	C:\Windows\SysWOW64\Remote-Controller.com	Remote-Controller.com
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	Remote-Controller.com
File opened for modification	C:\Windows\SysWOW64\jpg.dll	Remote-Controller.com
File opened for modification	C:\Windows\SysWOW64\vmss32.exe	vmss32.exe
File opened for modification	C:\Windows\SysWOW64\vmss32.exe	vmss32.exe
File opened for modification	C:\Windows\SysWOW64\jpg.dll	vmss32.exe
File opened for modification	C:\Windows\SysWOW64\vmss32.exe	vmss32.exe
File opened for modification	C:\Windows\SysWOW64\win.com	vmss32.exe
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	Remote-Controller.com
File opened for modification	C:\Windows\SysWOW64\zlib.dll	Remote-Controller.com
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	1.exe
File created	C:\Windows\SysWOW64\vmss32.exe	1.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2912	1.exe
2912	1.exe
2912	1.exe
2912	1.exe
2912	1.exe
2464	vmss32.exe
2464	vmss32.exe
2464	vmss32.exe
2464	vmss32.exe
2464	vmss32.exe
2456	vmss32.exe
2456	vmss32.exe
2456	vmss32.exe
2456	vmss32.exe
2456	vmss32.exe
2900	vmss32.exe
2900	vmss32.exe
2900	vmss32.exe
2900	vmss32.exe
2900	vmss32.exe
2684	Remote-Controller.com
2684	Remote-Controller.com
2684	Remote-Controller.com
2684	Remote-Controller.com
2684	Remote-Controller.com
2908	Remote-Controller.com
2908	Remote-Controller.com
2908	Remote-Controller.com
2908	Remote-Controller.com
2908	Remote-Controller.com

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2196	1a92f71fb9af742904e1bcaf544f11a4_JaffaCakes118.exe
2912	1.exe
2464	vmss32.exe
2456	vmss32.exe
2900	vmss32.exe
2684	Remote-Controller.com
2908	Remote-Controller.com

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2176	2196	1a92f71fb9af742904e1bcaf544f11a4_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2176	2196	1a92f71fb9af742904e1bcaf544f11a4_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2176	2196	1a92f71fb9af742904e1bcaf544f11a4_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2176	2196	1a92f71fb9af742904e1bcaf544f11a4_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2912	2196	1a92f71fb9af742904e1bcaf544f11a4_JaffaCakes118.exe	29
PID 2196 wrote to memory of 2912	2196	1a92f71fb9af742904e1bcaf544f11a4_JaffaCakes118.exe	29
PID 2196 wrote to memory of 2912	2196	1a92f71fb9af742904e1bcaf544f11a4_JaffaCakes118.exe	29
PID 2196 wrote to memory of 2912	2196	1a92f71fb9af742904e1bcaf544f11a4_JaffaCakes118.exe	29
PID 2912 wrote to memory of 2292	2912	1.exe	31
PID 2912 wrote to memory of 2292	2912	1.exe	31
PID 2912 wrote to memory of 2292	2912	1.exe	31
PID 2912 wrote to memory of 2292	2912	1.exe	31
PID 2912 wrote to memory of 2292	2912	1.exe	31
PID 2912 wrote to memory of 2292	2912	1.exe	31
PID 2912 wrote to memory of 2292	2912	1.exe	31
PID 2912 wrote to memory of 2464	2912	1.exe	32
PID 2912 wrote to memory of 2464	2912	1.exe	32
PID 2912 wrote to memory of 2464	2912	1.exe	32
PID 2912 wrote to memory of 2464	2912	1.exe	32
PID 2464 wrote to memory of 2456	2464	vmss32.exe	33
PID 2464 wrote to memory of 2456	2464	vmss32.exe	33
PID 2464 wrote to memory of 2456	2464	vmss32.exe	33
PID 2464 wrote to memory of 2456	2464	vmss32.exe	33
PID 2456 wrote to memory of 2900	2456	vmss32.exe	34
PID 2456 wrote to memory of 2900	2456	vmss32.exe	34
PID 2456 wrote to memory of 2900	2456	vmss32.exe	34
PID 2456 wrote to memory of 2900	2456	vmss32.exe	34
PID 2900 wrote to memory of 2684	2900	vmss32.exe	35
PID 2900 wrote to memory of 2684	2900	vmss32.exe	35
PID 2900 wrote to memory of 2684	2900	vmss32.exe	35
PID 2900 wrote to memory of 2684	2900	vmss32.exe	35
PID 2684 wrote to memory of 2908	2684	Remote-Controller.com	36
PID 2684 wrote to memory of 2908	2684	Remote-Controller.com	36
PID 2684 wrote to memory of 2908	2684	Remote-Controller.com	36
PID 2684 wrote to memory of 2908	2684	Remote-Controller.com	36

C:\Users\Admin\AppData\Local\Temp\1a92f71fb9af742904e1bcaf544f11a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a92f71fb9af742904e1bcaf544f11a4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\1a92f71fb9af742904e1bcaf544f11a4_JaffaCakes118.exe"
  2⤵
  PID:2176
- C:\Users\Admin\AppData\Roaming\1.exe
  C:\Users\Admin\AppData\Roaming\1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\system32\mswinsck.ocx"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2292
- - C:\Windows\SysWOW64\vmss32.exe
    C:\Windows\system32\vmss32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\SysWOW64\vmss32.exe
      C:\Windows\system32\vmss32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\SysWOW64\vmss32.exe
        
        C:\Windows\system32\vmss32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\SysWOW64\Remote-Controller.com
        
        C:\Windows\system32\Remote-Controller.com
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Remote-Controller.com
        
        C:\Windows\system32\Remote-Controller.com
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\jpg.dll

Filesize
51KB

MD5
4eda362e326609a0a80e2736b67607ab

SHA1
64aa572d16f7cd6e6bd2296f2c96ad1604c713d1

SHA256
061e9f721af9a538dcfd96d13cb3deef1479b5785f566818c34c3faa585d650a

SHA512
f23f6a5c362808aef98516dcf12e3eeefd8498c812c27f96820d7d086694641cb4eefc7970b4750a0e4a5a0be1f90ac8981fc2f028e7085d50bd44bd4880c51d

Download Submit
\Users\Admin\AppData\Roaming\1.exe

Filesize
296KB

MD5
a24016903b5535c6a81fb6e14d9d92d1

SHA1
23bf45a4b428b43ab95f52fb552338fa413ff070

SHA256
94524abb951f3bd3438253578e6f7f1e71aea6d0698fb8804fcd32a25bcad858

SHA512
520adb4a682bef17f33336e1e864f9641894204441998a3610d030e9d69b050132b33a0ea7e5ec97614f4bb27c7e3000c001677efe66b355078db33240933d9c

Download Submit
\Users\Admin\AppData\Roaming\kernel33.dll

Filesize
1.1MB

MD5
e14ba6a9464bed1127c50214acaf0c1a

SHA1
3eeda63ac8209ffa2e1beeefdde6531e61f8dc4d

SHA256
fd250c2054019c58dd71ac4469ee821b67dfa36a439091ad17969f6d4090da38

SHA512
55a7ad5ea8617e8066b2854556e54e1688c70d80b6921eab3020a1bb6cc741320f5f0d63cf067864505877e010d69caa2a7bff890dd037da7efbc3e679ab9c26

Download Submit
\Windows\SysWOW64\mswinsck.ocx

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Windows\SysWOW64\zlib.dll

Filesize
27KB

MD5
200d52d81e9b4b05fa58ce5fbe511dba

SHA1
c0d809ee93816d87388ed4e7fd6fca93d70294d2

SHA256
d4fe89dc2e7775f4ef0dfc70ed6999b8f09635326e05e08a274d464d1814c617

SHA512
7b1df70d76855d65cf246051e7b9f7119720a695d41ace1eb00e45e93e6de80d083b953269166bdee7137dbd9f3e5681e36bb036f151cea383c10d82957f39c5

Download Submit
memory/2912-24-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download