Malware Analysis Report

2025-01-03 08:21

Sample ID 240706-gf4jmszdqf
Target 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118
SHA256 6b817a01ac7122bcb0c41b7cb5b82c5d4a5a45ae0d82957b1f7da08932e0d0fd
Tags
metasploit backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b817a01ac7122bcb0c41b7cb5b82c5d4a5a45ae0d82957b1f7da08932e0d0fd

Threat Level: Known bad

The file 2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan

MetaSploit

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-06 05:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 05:45

Reported

2024-07-06 05:48

Platform

win7-20240704-en

Max time kernel

118s

Max time network

119s

Command Line

C:\Windows\Explorer.EXE

Signatures

MetaSploit

trojan backdoor metasploit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\test1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\test1.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\test1.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\eDonkey2000\incoming C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A
File created C:\Program Files\KAZAA C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A
File created C:\Program Files\Morpheus\My Shared Folder\ C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A
File created C:\Program Files\BearShare\Shared\ C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A
File created C:\Program Files\ICQ\Shared Files\ C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A
File created C:\Program Files\Grokster\My Grokster\ C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A
File created C:\Program Files\LimeWire\Shared C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 1636 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 1636 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 1636 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 1636 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 1636 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 1636 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 1636 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 1636 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 1636 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 2100 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2100 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Windows\SysWOW64\test1.exe
PID 2100 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Windows\SysWOW64\test1.exe
PID 2100 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Windows\SysWOW64\test1.exe
PID 2100 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Windows\SysWOW64\test1.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\system32\test1.exe 472 "C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe"

Network

N/A

Files

memory/2100-8-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2100-9-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2100-15-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2100-14-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2100-12-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2100-10-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2100-6-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2100-4-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2100-2-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2100-0-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Windows\SysWOW64\test1.exe

MD5 2770949cdb8c3162e0a6ae8eb590b944
SHA1 58ee985df907f49099997b5ce804c4578f57df4f
SHA256 6b817a01ac7122bcb0c41b7cb5b82c5d4a5a45ae0d82957b1f7da08932e0d0fd
SHA512 9b8c8141e2bf1dc5a816e03c3eaa5b8aa0432e5432e1f8175adb7897cbe6bdac13ea6b9839f4ea12434302d61088f9546c18c63dcd6eec6ea6108580df7403c1

memory/2100-26-0x0000000000400000-0x000000000048E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 05:45

Reported

2024-07-06 05:48

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

63s

Command Line

C:\Windows\Explorer.EXE

Signatures

MetaSploit

trojan backdoor metasploit

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File opened for modification C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File created C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File opened for modification C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File created C:\Windows\SysWOW64\test1.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File created C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File created C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File opened for modification C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File created C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File opened for modification C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File opened for modification C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File opened for modification C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File opened for modification C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File opened for modification C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File created C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File opened for modification C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File created C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File created C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File opened for modification C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File created C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe N/A
File opened for modification C:\Windows\SysWOW64\test1.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\BearShare\Shared\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\KAZAA C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\ICQ\Shared Files\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\Grokster\My Grokster\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\BearShare\Shared\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\BearShare\Shared\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\ICQ\Shared Files\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\Morpheus\My Shared Folder\ C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A
File created C:\Program Files\LimeWire\Shared C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\Grokster\My Grokster\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\eDonkey2000\incoming C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\LimeWire\Shared C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A
File created C:\Program Files\LimeWire\Shared C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\LimeWire\Shared C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\LimeWire\Shared C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\LimeWire\Shared C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\eDonkey2000\incoming C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\KAZAA C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A
File created C:\Program Files\Morpheus\My Shared Folder\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\eDonkey2000\incoming C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\ICQ\Shared Files\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\BearShare\Shared\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\Morpheus\My Shared Folder\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\ICQ\Shared Files\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\BearShare\Shared\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\KAZAA C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\eDonkey2000\incoming C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A
File created C:\Program Files\eDonkey2000\incoming C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\Grokster\My Grokster\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\LimeWire\Shared C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\ICQ\Shared Files\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\LimeWire\Shared C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\Grokster\My Grokster\ C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A
File created C:\Program Files\Morpheus\My Shared Folder\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\BearShare\Shared\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\KAZAA C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\LimeWire\Shared C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\Morpheus\My Shared Folder\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\Morpheus\My Shared Folder\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\Morpheus\My Shared Folder\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\BearShare\Shared\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\eDonkey2000\incoming C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\ICQ\Shared Files\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\eDonkey2000\incoming C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\LimeWire\Shared C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\Grokster\My Grokster\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\Grokster\My Grokster\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\KAZAA C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\eDonkey2000\incoming C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\eDonkey2000\incoming C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\eDonkey2000\incoming C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\Grokster\My Grokster\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\ICQ\Shared Files\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\KAZAA C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\BearShare\Shared\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\ICQ\Shared Files\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\Grokster\My Grokster\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\KAZAA C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\BearShare\Shared\ C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A
File created C:\Program Files\Morpheus\My Shared Folder\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\Morpheus\My Shared Folder\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\LimeWire\Shared C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\Grokster\My Grokster\ C:\Windows\SysWOW64\test1.exe N/A
File created C:\Program Files\KAZAA C:\Windows\SysWOW64\test1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A
N/A N/A C:\Windows\SysWOW64\test1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1344 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 1344 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 1344 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 1344 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 1344 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 1344 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 1344 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 1344 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 1344 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe
PID 5052 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5052 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Windows\SysWOW64\test1.exe
PID 5052 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Windows\SysWOW64\test1.exe
PID 5052 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe C:\Windows\SysWOW64\test1.exe
PID 2252 wrote to memory of 5084 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 2252 wrote to memory of 5084 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 2252 wrote to memory of 5084 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 2252 wrote to memory of 5084 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 2252 wrote to memory of 5084 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 2252 wrote to memory of 5084 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 2252 wrote to memory of 5084 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 2252 wrote to memory of 5084 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 2252 wrote to memory of 5084 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 5084 wrote to memory of 3460 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\Explorer.EXE
PID 5084 wrote to memory of 1456 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 5084 wrote to memory of 1456 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 5084 wrote to memory of 1456 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 1456 wrote to memory of 2304 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 1456 wrote to memory of 2304 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 1456 wrote to memory of 2304 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 1456 wrote to memory of 2304 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 1456 wrote to memory of 2304 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 1456 wrote to memory of 2304 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 1456 wrote to memory of 2304 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 1456 wrote to memory of 2304 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 1456 wrote to memory of 2304 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 2304 wrote to memory of 3460 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\Explorer.EXE
PID 2304 wrote to memory of 3892 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 2304 wrote to memory of 3892 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 2304 wrote to memory of 3892 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3892 wrote to memory of 4700 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3892 wrote to memory of 4700 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3892 wrote to memory of 4700 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3892 wrote to memory of 4700 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3892 wrote to memory of 4700 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3892 wrote to memory of 4700 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3892 wrote to memory of 4700 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3892 wrote to memory of 4700 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3892 wrote to memory of 4700 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 4700 wrote to memory of 3460 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\Explorer.EXE
PID 4700 wrote to memory of 3204 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 4700 wrote to memory of 3204 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 4700 wrote to memory of 3204 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3204 wrote to memory of 3912 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3204 wrote to memory of 3912 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3204 wrote to memory of 3912 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3204 wrote to memory of 3912 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3204 wrote to memory of 3912 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3204 wrote to memory of 3912 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3204 wrote to memory of 3912 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3204 wrote to memory of 3912 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3204 wrote to memory of 3912 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3912 wrote to memory of 3460 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\Explorer.EXE
PID 3912 wrote to memory of 1700 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe
PID 3912 wrote to memory of 1700 N/A C:\Windows\SysWOW64\test1.exe C:\Windows\SysWOW64\test1.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\system32\test1.exe 1004 "C:\Users\Admin\AppData\Local\Temp\2770949cdb8c3162e0a6ae8eb590b944_JaffaCakes118.exe"

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\system32\test1.exe 1156 "C:\Windows\SysWOW64\test1.exe"

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\system32\test1.exe 1124 "C:\Windows\SysWOW64\test1.exe"

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\system32\test1.exe 1008 "C:\Windows\SysWOW64\test1.exe"

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\system32\test1.exe 1128 "C:\Windows\SysWOW64\test1.exe"

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\system32\test1.exe 1116 "C:\Windows\SysWOW64\test1.exe"

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\system32\test1.exe 1128 "C:\Windows\SysWOW64\test1.exe"

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\system32\test1.exe 1120 "C:\Windows\SysWOW64\test1.exe"

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\system32\test1.exe 1124 "C:\Windows\SysWOW64\test1.exe"

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

C:\Windows\system32\test1.exe 1124 "C:\Windows\SysWOW64\test1.exe"

C:\Windows\SysWOW64\test1.exe

C:\Windows\SysWOW64\test1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/5052-2-0x0000000000400000-0x000000000048E000-memory.dmp

memory/5052-0-0x0000000000400000-0x000000000048E000-memory.dmp

memory/5052-4-0x0000000000400000-0x000000000048E000-memory.dmp

memory/5052-3-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Windows\SysWOW64\test1.exe

MD5 2770949cdb8c3162e0a6ae8eb590b944
SHA1 58ee985df907f49099997b5ce804c4578f57df4f
SHA256 6b817a01ac7122bcb0c41b7cb5b82c5d4a5a45ae0d82957b1f7da08932e0d0fd
SHA512 9b8c8141e2bf1dc5a816e03c3eaa5b8aa0432e5432e1f8175adb7897cbe6bdac13ea6b9839f4ea12434302d61088f9546c18c63dcd6eec6ea6108580df7403c1

memory/5084-15-0x0000000000400000-0x000000000048E000-memory.dmp

memory/5084-16-0x0000000000400000-0x000000000048E000-memory.dmp

memory/5052-20-0x0000000000400000-0x000000000048E000-memory.dmp

memory/5084-21-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2304-28-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2304-27-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2304-32-0x0000000000400000-0x000000000048E000-memory.dmp

memory/4700-37-0x0000000000400000-0x000000000048E000-memory.dmp

memory/4700-41-0x0000000000400000-0x000000000048E000-memory.dmp

memory/3912-46-0x0000000000400000-0x000000000048E000-memory.dmp

memory/3912-50-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1984-55-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1984-59-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2264-64-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2264-68-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2288-73-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2288-77-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1352-82-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1352-86-0x0000000000400000-0x000000000048E000-memory.dmp