Malware Analysis Report

2024-09-22 10:46

Sample ID 240726-vb54kateqb
Target 74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118
SHA256 9f1f28be4c21032cba96c553adf0b3b0874020bbc3caf7da31be41df464aa5cf
Tags
hawkeye discovery keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f1f28be4c21032cba96c553adf0b3b0874020bbc3caf7da31be41df464aa5cf

Threat Level: Known bad

The file 74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hawkeye discovery keylogger persistence spyware stealer trojan

HawkEye

Adds policy Run key to start application

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Deletes itself

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-26 16:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 16:49

Reported

2024-07-26 20:33

Platform

win7-20240704-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audioadg.exe" C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audioadg.exe" C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Temp.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2768 set thread context of 2636 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 2612 set thread context of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 560 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe C:\Users\Admin\Documents\explorer.exe
PID 560 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe C:\Users\Admin\Documents\explorer.exe
PID 560 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe C:\Users\Admin\Documents\explorer.exe
PID 560 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe C:\Users\Admin\Documents\explorer.exe
PID 2740 wrote to memory of 2764 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\Documents\explorer.exe
PID 2740 wrote to memory of 2764 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\Documents\explorer.exe
PID 2740 wrote to memory of 2764 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\Documents\explorer.exe
PID 2740 wrote to memory of 2764 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\Documents\explorer.exe
PID 2740 wrote to memory of 2928 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe
PID 2740 wrote to memory of 2928 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe
PID 2740 wrote to memory of 2928 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe
PID 2740 wrote to memory of 2928 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe
PID 2928 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 2928 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 2928 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 2928 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 2768 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 2768 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 2768 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 2768 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 2768 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 2768 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 2768 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 2768 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 2768 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 2768 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 2768 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 2768 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 2636 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 2636 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 2636 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 2636 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 2612 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 2612 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 2612 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 2612 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 2612 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 2612 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 2612 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 2612 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 2612 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 2612 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 2612 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 2612 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe"

C:\Users\Admin\Documents\explorer.exe

"C:\Users\Admin\Documents\explorer.exe"

C:\Users\Admin\Documents\explorer.exe

C:\Users\Admin\Documents\explorer.exe

C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe

"C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe"

C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe

C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe

C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe

C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 gkid117.no-ip.info udp
ES 94.73.32.235:3081 gkid117.no-ip.info tcp
ES 94.73.32.235:3081 gkid117.no-ip.info tcp
ES 94.73.32.235:3081 gkid117.no-ip.info tcp
US 8.8.8.8:53 gkid117.no-ip.info udp
ES 94.73.32.235:3081 gkid117.no-ip.info tcp
ES 94.73.32.235:3081 gkid117.no-ip.info tcp
ES 94.73.32.235:3081 gkid117.no-ip.info tcp
US 8.8.8.8:53 udp
ES 94.73.32.235:3081 tcp

Files

memory/560-0-0x00000000748B1000-0x00000000748B2000-memory.dmp

memory/560-1-0x00000000748B0000-0x0000000074E5B000-memory.dmp

memory/560-2-0x00000000748B0000-0x0000000074E5B000-memory.dmp

\Users\Admin\Documents\explorer.exe

MD5 74e5ed5269a7436d2c634d718dd0a36a
SHA1 9f96d79d44fd3d5e62345bb112c35b5653775379
SHA256 9f1f28be4c21032cba96c553adf0b3b0874020bbc3caf7da31be41df464aa5cf
SHA512 cd2f3ff28b49a0faded600390f03ec61845f943cfb2b1b231e3dbab441107a34bd8a824de2a080e9249c609a653268c4c057f084ba63273cd439e89e9d3e69b0

memory/560-18-0x00000000748B0000-0x0000000074E5B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe

MD5 6ac73d462625d27d9f0f599ca1190dea
SHA1 746cbcaf898421e361baa72ac5400d6e5d6ef732
SHA256 fa35e4d655c8d1eefd9d4bacab0f6d932bd061e23c49503af747161248307f0c
SHA512 5789644e331955e2363fd45e45a49bb4266b01ab772d503a8324e4d126ddb2e244297462030a4c63c0088551ef6cac94fa460e4f7ce9f844757afdca4a5d4601

memory/2740-19-0x00000000748B0000-0x0000000074E5B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 f4c1b2ab4c900cbc78cb94aa076b0273
SHA1 3594b28990ed6c519013096d09e2514efebe4710
SHA256 d8ab752eb5e186c5ca9745cd078577ef759a82c93686446eade4edc613dceafa
SHA512 630d89abb641d602eb0dfcab2740d9443f8edd5c72411b517186e699414c44d916e78ebc4f3cccad64f528107ab502b4b469c75f38e868343897f444298edead

memory/2740-23-0x00000000748B0000-0x0000000074E5B000-memory.dmp

memory/2740-24-0x00000000748B0000-0x0000000074E5B000-memory.dmp

memory/2636-33-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2636-43-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2636-41-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2636-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2636-39-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2636-38-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2636-37-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2636-36-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2636-35-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2636-34-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2636-44-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 0cb5c42fd26af3137f9b847cdaf6678d
SHA1 abdad38dffdd2aea628f93f2c55c8a958828866a
SHA256 de836f24bdfc49d9ff1edb1b52d2f5e5e19352e43c95e4fb1d8e1691d290d4e1
SHA512 9e17b6a6694855900e5fb20975bdd98e536c9095d36c02ba671cb9cf0850ebe1546f5a35bd175021f687ddd1412985ef105940d88d469b9328a200be1cb35517

memory/2400-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2400-69-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2740-70-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 16:49

Reported

2024-07-26 20:37

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audioadg.exe" C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Documents\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Documents\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audioadg.exe" C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Temp.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\Documents\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
N/A N/A C:\Users\Admin\Documents\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 948 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe C:\Users\Admin\Documents\explorer.exe
PID 948 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe C:\Users\Admin\Documents\explorer.exe
PID 948 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe C:\Users\Admin\Documents\explorer.exe
PID 4908 wrote to memory of 184 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\Documents\explorer.exe
PID 4908 wrote to memory of 184 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\Documents\explorer.exe
PID 4908 wrote to memory of 184 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\Documents\explorer.exe
PID 4908 wrote to memory of 184 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\Documents\explorer.exe
PID 4908 wrote to memory of 184 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\Documents\explorer.exe
PID 4908 wrote to memory of 184 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\Documents\explorer.exe
PID 4908 wrote to memory of 184 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\Documents\explorer.exe
PID 4908 wrote to memory of 184 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\Documents\explorer.exe
PID 4908 wrote to memory of 184 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\Documents\explorer.exe
PID 4908 wrote to memory of 184 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\Documents\explorer.exe
PID 4908 wrote to memory of 184 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\Documents\explorer.exe
PID 4908 wrote to memory of 184 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\Documents\explorer.exe
PID 4908 wrote to memory of 184 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\Documents\explorer.exe
PID 4908 wrote to memory of 3924 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe
PID 4908 wrote to memory of 3924 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe
PID 4908 wrote to memory of 3924 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe
PID 3924 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 3924 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 3924 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 4376 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 4376 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 4376 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 4376 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 4376 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 4376 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 4376 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 4376 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 4376 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 4376 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 4376 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 4376 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 4376 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
PID 184 wrote to memory of 3132 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 184 wrote to memory of 3132 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 184 wrote to memory of 3132 N/A C:\Users\Admin\Documents\explorer.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 3132 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 3132 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 3132 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 3132 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 3132 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 3132 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 3132 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 3132 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 3132 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 3132 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 3132 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 3132 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 3132 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 220 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 220 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 220 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 3156 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 3156 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe
PID 3156 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\74e5ed5269a7436d2c634d718dd0a36a_JaffaCakes118.exe"

C:\Users\Admin\Documents\explorer.exe

"C:\Users\Admin\Documents\explorer.exe"

C:\Users\Admin\Documents\explorer.exe

C:\Users\Admin\Documents\explorer.exe

C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe

"C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe"

C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe

C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe

C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe

C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Temp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 gkid117.no-ip.info udp
ES 94.73.32.235:3081 gkid117.no-ip.info tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
ES 94.73.32.235:3081 gkid117.no-ip.info tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 40.58.20.217.in-addr.arpa udp
ES 94.73.32.235:3081 gkid117.no-ip.info tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 gkid117.no-ip.info udp
ES 94.73.32.235:3081 gkid117.no-ip.info tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
ES 94.73.32.235:3081 gkid117.no-ip.info tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
ES 94.73.32.235:3081 gkid117.no-ip.info tcp
US 8.8.8.8:53 gkid117.no-ip.info udp
ES 94.73.32.235:3081 gkid117.no-ip.info tcp

Files

memory/948-0-0x0000000075222000-0x0000000075223000-memory.dmp

memory/948-1-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/948-2-0x0000000075220000-0x00000000757D1000-memory.dmp

C:\Users\Admin\Documents\explorer.exe

MD5 74e5ed5269a7436d2c634d718dd0a36a
SHA1 9f96d79d44fd3d5e62345bb112c35b5653775379
SHA256 9f1f28be4c21032cba96c553adf0b3b0874020bbc3caf7da31be41df464aa5cf
SHA512 cd2f3ff28b49a0faded600390f03ec61845f943cfb2b1b231e3dbab441107a34bd8a824de2a080e9249c609a653268c4c057f084ba63273cd439e89e9d3e69b0

memory/948-18-0x0000000075220000-0x00000000757D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe

MD5 6ac73d462625d27d9f0f599ca1190dea
SHA1 746cbcaf898421e361baa72ac5400d6e5d6ef732
SHA256 fa35e4d655c8d1eefd9d4bacab0f6d932bd061e23c49503af747161248307f0c
SHA512 5789644e331955e2363fd45e45a49bb4266b01ab772d503a8324e4d126ddb2e244297462030a4c63c0088551ef6cac94fa460e4f7ce9f844757afdca4a5d4601

memory/4908-17-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/4908-21-0x0000000075220000-0x00000000757D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 f4c1b2ab4c900cbc78cb94aa076b0273
SHA1 3594b28990ed6c519013096d09e2514efebe4710
SHA256 d8ab752eb5e186c5ca9745cd078577ef759a82c93686446eade4edc613dceafa
SHA512 630d89abb641d602eb0dfcab2740d9443f8edd5c72411b517186e699414c44d916e78ebc4f3cccad64f528107ab502b4b469c75f38e868343897f444298edead

memory/184-23-0x0000000000400000-0x0000000000423000-memory.dmp

memory/184-25-0x0000000000400000-0x0000000000423000-memory.dmp

memory/184-26-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 0cb5c42fd26af3137f9b847cdaf6678d
SHA1 abdad38dffdd2aea628f93f2c55c8a958828866a
SHA256 de836f24bdfc49d9ff1edb1b52d2f5e5e19352e43c95e4fb1d8e1691d290d4e1
SHA512 9e17b6a6694855900e5fb20975bdd98e536c9095d36c02ba671cb9cf0850ebe1546f5a35bd175021f687ddd1412985ef105940d88d469b9328a200be1cb35517

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 2d421d5d27c83a8d80478ccded23873a
SHA1 9849b69bcaed8b6fca38e9fc17e2abbd7df5ca7d
SHA256 6d513e948a16ca79064e0d510b8b92fb6a84434a1b60744567aafec3820cbb26
SHA512 df6e37db8131242d12d07fe36f4190f884babe5ef80d2160bc45918c621e3ce05ddfb2ddf494ff62494f8faf61b9f219c3a89688993c317a7ba5440d84ab3631

memory/4908-74-0x0000000075220000-0x00000000757D1000-memory.dmp