Malware Analysis Report

2025-01-03 08:22

Sample ID 240704-vgztqszbrm
Target 2597fef3521a6e95b68b17de972898cb_JaffaCakes118
SHA256 0e0fdd23417c75d5be7d7b3ffc60231253412cdf740a1ec40fe7e5cac95ab4da
Tags
metasploit backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e0fdd23417c75d5be7d7b3ffc60231253412cdf740a1ec40fe7e5cac95ab4da

Threat Level: Known bad

The file 2597fef3521a6e95b68b17de972898cb_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan

MetaSploit

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-04 16:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 16:58

Reported

2024-07-04 17:10

Platform

win7-20240220-en

Max time kernel

148s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\autoformat.exe C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\autoformat.exe C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe N/A
File created C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe N/A
File created C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe N/A
File created C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe N/A
File created C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe C:\Windows\SysWOW64\autoformat.exe
PID 3040 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe C:\Windows\SysWOW64\autoformat.exe
PID 3040 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe C:\Windows\SysWOW64\autoformat.exe
PID 3040 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe C:\Windows\SysWOW64\autoformat.exe
PID 2408 wrote to memory of 768 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 2408 wrote to memory of 768 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 2408 wrote to memory of 768 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 2408 wrote to memory of 768 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 768 wrote to memory of 1720 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 768 wrote to memory of 1720 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 768 wrote to memory of 1720 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 768 wrote to memory of 1720 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 1720 wrote to memory of 540 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 1720 wrote to memory of 540 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 1720 wrote to memory of 540 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 1720 wrote to memory of 540 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 540 wrote to memory of 1060 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 540 wrote to memory of 1060 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 540 wrote to memory of 1060 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 540 wrote to memory of 1060 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe"

C:\Windows\SysWOW64\autoformat.exe

C:\Windows\system32\autoformat.exe -bai C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe

C:\Windows\SysWOW64\autoformat.exe

C:\Windows\system32\autoformat.exe -bai C:\Windows\SysWOW64\autoformat.exe

C:\Windows\SysWOW64\autoformat.exe

C:\Windows\system32\autoformat.exe -bai C:\Windows\SysWOW64\autoformat.exe

C:\Windows\SysWOW64\autoformat.exe

C:\Windows\system32\autoformat.exe -bai C:\Windows\SysWOW64\autoformat.exe

C:\Windows\SysWOW64\autoformat.exe

C:\Windows\system32\autoformat.exe -bai C:\Windows\SysWOW64\autoformat.exe

Network

N/A

Files

memory/3040-1-0x0000000000390000-0x00000000003DB000-memory.dmp

memory/3040-0-0x0000000000400000-0x000000000058A000-memory.dmp

memory/3040-14-0x0000000002870000-0x0000000002872000-memory.dmp

memory/3040-13-0x0000000002880000-0x0000000002885000-memory.dmp

memory/3040-12-0x0000000002880000-0x0000000002881000-memory.dmp

memory/3040-22-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-64-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-63-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-62-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-61-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-60-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-59-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-58-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-57-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-56-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-55-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-54-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-53-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-52-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-51-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-50-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-49-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-48-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-47-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-46-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-45-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-44-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-43-0x0000000002390000-0x0000000002391000-memory.dmp

memory/3040-42-0x0000000002390000-0x0000000002391000-memory.dmp

memory/3040-41-0x0000000002390000-0x0000000002391000-memory.dmp

memory/3040-40-0x0000000002390000-0x0000000002391000-memory.dmp

memory/3040-39-0x0000000002390000-0x0000000002391000-memory.dmp

memory/3040-38-0x0000000002390000-0x0000000002391000-memory.dmp

memory/3040-37-0x0000000002390000-0x0000000002391000-memory.dmp

memory/3040-36-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-35-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-34-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-33-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-32-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-31-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-30-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-29-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-28-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-27-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-26-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-25-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-24-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-23-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-21-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-20-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-19-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-18-0x00000000028E0000-0x00000000028E1000-memory.dmp

memory/3040-17-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3040-16-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/3040-15-0x00000000028F0000-0x00000000029F0000-memory.dmp

memory/3040-11-0x0000000002880000-0x0000000002881000-memory.dmp

memory/3040-10-0x0000000000630000-0x0000000000631000-memory.dmp

memory/3040-9-0x0000000002880000-0x0000000002881000-memory.dmp

memory/3040-8-0x0000000002340000-0x0000000002341000-memory.dmp

memory/3040-7-0x0000000002880000-0x0000000002881000-memory.dmp

memory/3040-6-0x0000000000640000-0x0000000000641000-memory.dmp

memory/3040-5-0x0000000002370000-0x0000000002371000-memory.dmp

memory/3040-4-0x0000000000620000-0x0000000000621000-memory.dmp

memory/3040-3-0x0000000002360000-0x0000000002361000-memory.dmp

memory/3040-2-0x0000000002330000-0x0000000002331000-memory.dmp

memory/3040-66-0x0000000000230000-0x0000000000231000-memory.dmp

memory/3040-67-0x0000000000300000-0x0000000000301000-memory.dmp

memory/3040-65-0x0000000002890000-0x0000000002891000-memory.dmp

memory/3040-68-0x00000000028A0000-0x00000000028A1000-memory.dmp

memory/3040-70-0x00000000028B0000-0x00000000028B1000-memory.dmp

memory/3040-69-0x00000000028C0000-0x00000000028C1000-memory.dmp

\Windows\SysWOW64\autoformat.exe

MD5 2597fef3521a6e95b68b17de972898cb
SHA1 b360e70b65ba38aba1b754221c820487bb0c2338
SHA256 0e0fdd23417c75d5be7d7b3ffc60231253412cdf740a1ec40fe7e5cac95ab4da
SHA512 e659ed62f6fe81cb22e0d77fc9a3dea6a616ddf2f464843e52acf1552ecd6259b6aa3f37c526fab0a03697eaf72f820418a9ee6c94de0ba16a0cdaa66b7c8bfe

memory/3040-73-0x0000000002C70000-0x0000000002DFA000-memory.dmp

memory/3040-81-0x0000000000390000-0x00000000003DB000-memory.dmp

memory/3040-80-0x0000000000400000-0x000000000058A000-memory.dmp

memory/2408-82-0x0000000000400000-0x000000000058A000-memory.dmp

memory/2408-84-0x0000000000400000-0x000000000058A000-memory.dmp

memory/2408-90-0x0000000000400000-0x000000000058A000-memory.dmp

memory/768-91-0x0000000000400000-0x000000000058A000-memory.dmp

memory/768-92-0x0000000000400000-0x000000000058A000-memory.dmp

memory/1720-99-0x0000000000400000-0x000000000058A000-memory.dmp

memory/768-98-0x0000000000400000-0x000000000058A000-memory.dmp

memory/1720-100-0x0000000000400000-0x000000000058A000-memory.dmp

memory/540-107-0x0000000000400000-0x000000000058A000-memory.dmp

memory/1720-105-0x0000000000400000-0x000000000058A000-memory.dmp

memory/540-108-0x0000000000400000-0x000000000058A000-memory.dmp

memory/540-113-0x0000000000400000-0x000000000058A000-memory.dmp

memory/1060-115-0x0000000000400000-0x000000000058A000-memory.dmp

memory/1060-116-0x0000000000400000-0x000000000058A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 16:58

Reported

2024-07-04 17:14

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\autoformat.exe C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe N/A
File created C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe N/A
File created C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe N/A
File created C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe N/A
File created C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe N/A
File created C:\Windows\SysWOW64\autoformat.exe C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A
N/A N/A C:\Windows\SysWOW64\autoformat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe C:\Windows\SysWOW64\autoformat.exe
PID 1448 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe C:\Windows\SysWOW64\autoformat.exe
PID 1448 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe C:\Windows\SysWOW64\autoformat.exe
PID 1336 wrote to memory of 1900 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 1336 wrote to memory of 1900 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 1336 wrote to memory of 1900 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 1900 wrote to memory of 2376 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 1900 wrote to memory of 2376 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 1900 wrote to memory of 2376 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 2376 wrote to memory of 2688 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 2376 wrote to memory of 2688 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 2376 wrote to memory of 2688 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 2688 wrote to memory of 2088 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 2688 wrote to memory of 2088 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe
PID 2688 wrote to memory of 2088 N/A C:\Windows\SysWOW64\autoformat.exe C:\Windows\SysWOW64\autoformat.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe"

C:\Windows\SysWOW64\autoformat.exe

C:\Windows\system32\autoformat.exe -bai C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3812,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8

C:\Windows\SysWOW64\autoformat.exe

C:\Windows\system32\autoformat.exe -bai C:\Windows\SysWOW64\autoformat.exe

C:\Windows\SysWOW64\autoformat.exe

C:\Windows\system32\autoformat.exe -bai C:\Windows\SysWOW64\autoformat.exe

C:\Windows\SysWOW64\autoformat.exe

C:\Windows\system32\autoformat.exe -bai C:\Windows\SysWOW64\autoformat.exe

C:\Windows\SysWOW64\autoformat.exe

C:\Windows\system32\autoformat.exe -bai C:\Windows\SysWOW64\autoformat.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
GB 88.221.135.27:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 27.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/1448-0-0x0000000000400000-0x000000000058A000-memory.dmp

memory/1448-1-0x0000000000B90000-0x0000000000BDB000-memory.dmp

memory/1448-14-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/1448-13-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/1448-12-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/1448-11-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/1448-10-0x0000000002A90000-0x0000000002A92000-memory.dmp

memory/1448-9-0x0000000002520000-0x0000000002521000-memory.dmp

memory/1448-8-0x0000000002560000-0x0000000002561000-memory.dmp

memory/1448-7-0x0000000002AA0000-0x0000000002AA5000-memory.dmp

memory/1448-6-0x0000000002530000-0x0000000002531000-memory.dmp

memory/1448-5-0x0000000002590000-0x0000000002591000-memory.dmp

memory/1448-4-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1448-3-0x0000000002580000-0x0000000002581000-memory.dmp

memory/1448-2-0x0000000002550000-0x0000000002551000-memory.dmp

memory/1448-17-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-44-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-43-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-42-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-41-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-40-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-39-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-18-0x0000000002B00000-0x0000000002B01000-memory.dmp

memory/1448-38-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-37-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-36-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-35-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-34-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-33-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1448-32-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1448-31-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1448-30-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1448-29-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1448-28-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1448-27-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1448-26-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-25-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-24-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-23-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-22-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-21-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-20-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-19-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-16-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1448-15-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

memory/1448-46-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/1448-50-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

memory/1448-49-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/1448-47-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/1448-45-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

memory/1448-48-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

C:\Windows\SysWOW64\autoformat.exe

MD5 2597fef3521a6e95b68b17de972898cb
SHA1 b360e70b65ba38aba1b754221c820487bb0c2338
SHA256 0e0fdd23417c75d5be7d7b3ffc60231253412cdf740a1ec40fe7e5cac95ab4da
SHA512 e659ed62f6fe81cb22e0d77fc9a3dea6a616ddf2f464843e52acf1552ecd6259b6aa3f37c526fab0a03697eaf72f820418a9ee6c94de0ba16a0cdaa66b7c8bfe

memory/1448-55-0x0000000000B90000-0x0000000000BDB000-memory.dmp

memory/1336-58-0x0000000000400000-0x000000000058A000-memory.dmp

memory/1448-56-0x0000000000400000-0x000000000058A000-memory.dmp

memory/1336-59-0x0000000000400000-0x000000000058A000-memory.dmp

memory/1336-63-0x0000000000400000-0x000000000058A000-memory.dmp

memory/1900-64-0x0000000000400000-0x000000000058A000-memory.dmp

memory/1900-65-0x0000000000400000-0x000000000058A000-memory.dmp

memory/1900-69-0x0000000000400000-0x000000000058A000-memory.dmp

memory/2376-70-0x0000000000400000-0x000000000058A000-memory.dmp

memory/2376-74-0x0000000000400000-0x000000000058A000-memory.dmp

memory/2688-75-0x0000000000400000-0x000000000058A000-memory.dmp

memory/2688-76-0x0000000000400000-0x000000000058A000-memory.dmp

memory/2688-80-0x0000000000400000-0x000000000058A000-memory.dmp

memory/2088-81-0x0000000000400000-0x000000000058A000-memory.dmp

memory/2088-82-0x0000000000400000-0x000000000058A000-memory.dmp