Malware Analysis Report

2025-01-02 02:24

Sample ID 240718-t4ld7azfrf
Target 5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118
SHA256 f495a8ba97607ee74012dafbef1384b76daded34cca7765582b1fe8c006ce98f
Tags
themida xtremerat evasion persistence rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f495a8ba97607ee74012dafbef1384b76daded34cca7765582b1fe8c006ce98f

Threat Level: Known bad

The file 5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

themida xtremerat evasion persistence rat spyware

Detect XtremeRAT payload

XtremeRAT

Identifies Wine through registry keys

Loads dropped DLL

Executes dropped EXE

Themida packer

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-18 16:36

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-18 16:36

Reported

2024-07-18 16:39

Platform

win7-20240704-en

Max time kernel

150s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Windows\SysWOW64\InstallDir\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\InstallDir\Server.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe N/A
N/A N/A C:\Windows\SysWOW64\InstallDir\Server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2548 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2548 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2548 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe C:\Windows\SysWOW64\InstallDir\Server.exe
PID 2216 wrote to memory of 2536 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2536 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2536 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2536 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2536 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2700 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2700 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2700 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2700 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2700 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2156 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2156 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2156 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2156 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2156 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 1680 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 1680 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 1680 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 1680 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 1680 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2720 N/A C:\Windows\SysWOW64\InstallDir\Server.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\InstallDir\Server.exe

"C:\Windows\system32\InstallDir\Server.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

N/A

Files

memory/2548-0-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2548-1-0x0000000000C81000-0x0000000000C85000-memory.dmp

memory/2548-2-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2548-8-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2548-10-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2548-9-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2760-13-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2760-11-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2836-17-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2932-21-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2668-25-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/1592-29-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2624-33-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2696-37-0x0000000000C80000-0x0000000000DF9000-memory.dmp

\Windows\SysWOW64\InstallDir\Server.exe

MD5 5834b52df8db61bf7dc7c3f8e0a58de1
SHA1 9cc70c6ae8e39ecb015e50139800f53ad0716cf2
SHA256 f495a8ba97607ee74012dafbef1384b76daded34cca7765582b1fe8c006ce98f
SHA512 b868387af58cd5d64a6153e39141ffaabda9770daec4164650d15386bfddf2655f103a3ee741e6a19eb4282fb409b5a1dbf1830c1257f37f74e1b17a0eae9e01

memory/2548-42-0x0000000006380000-0x00000000064F9000-memory.dmp

memory/2548-49-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2548-50-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2216-51-0x0000000000C80000-0x0000000000DF9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

MD5 d367201042e28888b53a6cff369302a3
SHA1 1a6a82c7ce822da7295f043c6b6458a9bd7f8480
SHA256 e85d8b5f8d39c3605cd2f062b340503c6d6696bd41b305b6ff6dd005a0bfbae1
SHA512 3822c3a1ad24e63e92c123254d5ed0552fc7c2f503869ae96dcc8be6072e646ed1869dce13a76d09aa52aad58ec212a44a49b5d03915e80be75133794d08eb5b

memory/2536-59-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2700-63-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2156-67-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/1680-71-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2720-75-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/432-79-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/976-83-0x0000000000C80000-0x0000000000DF9000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2216-94-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/1404-104-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/612-140-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2228-139-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/612-182-0x0000000006710000-0x0000000006889000-memory.dmp

memory/612-184-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2976-227-0x00000000064A0000-0x0000000006619000-memory.dmp

memory/2976-230-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2976-226-0x00000000064A0000-0x0000000006619000-memory.dmp

memory/2012-231-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2400-274-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2012-273-0x00000000064A0000-0x0000000006619000-memory.dmp

memory/2012-272-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2400-319-0x0000000006420000-0x0000000006599000-memory.dmp

memory/956-320-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2400-318-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2900-362-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/956-361-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2012-377-0x00000000064A0000-0x0000000006619000-memory.dmp

memory/2900-401-0x00000000064F0000-0x0000000006669000-memory.dmp

memory/2900-409-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2900-406-0x00000000064F0000-0x0000000006669000-memory.dmp

memory/2912-410-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/1100-452-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2912-451-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2500-496-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/1100-495-0x00000000063E0000-0x0000000006559000-memory.dmp

memory/1100-498-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/3056-538-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2500-540-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/3056-583-0x00000000064A0000-0x0000000006619000-memory.dmp

memory/2248-584-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/3056-586-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2348-623-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2248-625-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2348-664-0x0000000004FA0000-0x0000000005119000-memory.dmp

memory/2736-665-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2348-667-0x0000000004FA0000-0x0000000005119000-memory.dmp

memory/2348-668-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2736-707-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/1624-708-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/1624-748-0x00000000064F0000-0x0000000006669000-memory.dmp

memory/1624-750-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/1624-747-0x00000000064F0000-0x0000000006669000-memory.dmp

memory/876-789-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/1288-828-0x0000000005170000-0x00000000052E9000-memory.dmp

memory/1288-830-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2896-869-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/1988-871-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/1988-868-0x0000000006720000-0x0000000006899000-memory.dmp

memory/2896-912-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/2896-911-0x00000000050A0000-0x0000000005219000-memory.dmp

memory/808-952-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/1564-951-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/808-993-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/808-992-0x0000000006440000-0x00000000065B9000-memory.dmp

memory/1628-994-0x0000000000C80000-0x0000000000DF9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-18 16:36

Reported

2024-07-18 16:39

Platform

win10v2004-20240704-en

Max time kernel

141s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe"

Signatures

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5834b52df8db61bf7dc7c3f8e0a58de1_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/3536-0-0x0000000000C80000-0x0000000000DF9000-memory.dmp

memory/3536-1-0x0000000000C80000-0x0000000000DF9000-memory.dmp