Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
28/07/2024, 01:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
04587298a0bc845b48e67ccac795ec1a_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
6 signatures
150 seconds
General
-
Target
04587298a0bc845b48e67ccac795ec1a_JaffaCakes118.exe
-
Size
194KB
-
MD5
04587298a0bc845b48e67ccac795ec1a
-
SHA1
aa096b7bee01d94e2a84826bf7114a08f18050d6
-
SHA256
c0516f6414c6f10eeb7818bf1bf1acf748df22c69fafd5314cdf4e76761b7da2
-
SHA512
9432f8d0f21bd6d6f92b848a0bc3fe23ab2dbbd68e6a86bab829ab8760d7d0a8f891082f102221a4544790bce7c940b313ecddf232fe705b21afe1fd74e13115
-
SSDEEP
1536:EvQBeOGtrYSSsrc93UBIfdC67m6AJiqjt3ufT/FRxZOYrDNDLI03:EhOm2sI93UufdC67ciyt3ujFf7rJDk03
Malware Config
Signatures
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/1460-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1300-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-83-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2744-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1292-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1304-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-169-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2940-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/556-201-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/108-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-548-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2492-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-917-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1408-1013-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-1275-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2036-1274-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1608-1356-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1608-2474-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2524 lffflff.exe 2280 xxrrfxr.exe 2340 nbthnb.exe 1300 vpdpd.exe 2860 fxxxrfl.exe 2180 7hbbht.exe 2640 vvpjj.exe 2744 7lrrlxf.exe 2608 flffllx.exe 1292 3nbttt.exe 2392 pvvdv.exe 1976 llrfrxx.exe 276 bbtbht.exe 2828 dvpjd.exe 1164 ppjvd.exe 1304 3thhnt.exe 2888 9tnbbh.exe 2032 ddvdd.exe 1768 rrxlxll.exe 2940 bttbbn.exe 556 ttnbbh.exe 108 ddvjv.exe 2128 3rrrlrf.exe 3012 bhntbh.exe 316 5vjvj.exe 2436 pdvjv.exe 2272 rrfllrx.exe 2692 tnbhtn.exe 1648 jpdjd.exe 2192 pjddp.exe 2544 xrlrfll.exe 2476 thbhnt.exe 1596 7nhbnb.exe 2468 ddvdp.exe 2748 xxxlllx.exe 2752 llfxlfx.exe 2820 btttnt.exe 2860 ddpdp.exe 2984 ddvjv.exe 2520 lxxxxfl.exe 2964 1flflrx.exe 2604 nhtbhn.exe 2680 jdvvv.exe 1620 jvvvv.exe 2224 lffrrxx.exe 1116 rfxlxfl.exe 1976 bbthtb.exe 1484 hbthhn.exe 1812 3djpv.exe 2828 3rxxlrl.exe 1796 rlflxfl.exe 2044 1tbhnb.exe 1632 nnhbbn.exe 1764 ppvjd.exe 3060 7lxfrlf.exe 2824 fxlfrxl.exe 1924 3tnhbt.exe 2188 bbbnbh.exe 1272 jdpdj.exe 236 lrxllff.exe 2432 fffrlxx.exe 840 btbthh.exe 836 btnbbh.exe 1536 tnbnbn.exe -
resource yara_rule behavioral1/memory/1460-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1292-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1292-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1304-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/108-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1336-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1228-759-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-766-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-779-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-804-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-823-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-842-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-881-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-937-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/700-968-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-975-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/556-994-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xflxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9btttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1460 wrote to memory of 2524 1460 04587298a0bc845b48e67ccac795ec1a_JaffaCakes118.exe 30 PID 1460 wrote to memory of 2524 1460 04587298a0bc845b48e67ccac795ec1a_JaffaCakes118.exe 30 PID 1460 wrote to memory of 2524 1460 04587298a0bc845b48e67ccac795ec1a_JaffaCakes118.exe 30 PID 1460 wrote to memory of 2524 1460 04587298a0bc845b48e67ccac795ec1a_JaffaCakes118.exe 30 PID 2524 wrote to memory of 2280 2524 lffflff.exe 31 PID 2524 wrote to memory of 2280 2524 lffflff.exe 31 PID 2524 wrote to memory of 2280 2524 lffflff.exe 31 PID 2524 wrote to memory of 2280 2524 lffflff.exe 31 PID 2280 wrote to memory of 2340 2280 xxrrfxr.exe 32 PID 2280 wrote to memory of 2340 2280 xxrrfxr.exe 32 PID 2280 wrote to memory of 2340 2280 xxrrfxr.exe 32 PID 2280 wrote to memory of 2340 2280 xxrrfxr.exe 32 PID 2340 wrote to memory of 1300 2340 nbthnb.exe 33 PID 2340 wrote to memory of 1300 2340 nbthnb.exe 33 PID 2340 wrote to memory of 1300 2340 nbthnb.exe 33 PID 2340 wrote to memory of 1300 2340 nbthnb.exe 33 PID 1300 wrote to memory of 2860 1300 vpdpd.exe 34 PID 1300 wrote to memory of 2860 1300 vpdpd.exe 34 PID 1300 wrote to memory of 2860 1300 vpdpd.exe 34 PID 1300 wrote to memory of 2860 1300 vpdpd.exe 34 PID 2860 wrote to memory of 2180 2860 fxxxrfl.exe 35 PID 2860 wrote to memory of 2180 2860 fxxxrfl.exe 35 PID 2860 wrote to memory of 2180 2860 fxxxrfl.exe 35 PID 2860 wrote to memory of 2180 2860 fxxxrfl.exe 35 PID 2180 wrote to memory of 2640 2180 7hbbht.exe 36 PID 2180 wrote to memory of 2640 2180 7hbbht.exe 36 PID 2180 wrote to memory of 2640 2180 7hbbht.exe 36 PID 2180 wrote to memory of 2640 2180 7hbbht.exe 36 PID 2640 wrote to memory of 2744 2640 vvpjj.exe 37 PID 2640 wrote to memory of 2744 2640 vvpjj.exe 37 PID 2640 wrote to memory of 2744 2640 vvpjj.exe 37 PID 2640 wrote to memory of 2744 2640 vvpjj.exe 37 PID 2744 wrote to memory of 2608 2744 7lrrlxf.exe 38 PID 2744 wrote to memory of 2608 2744 7lrrlxf.exe 38 PID 2744 wrote to memory of 2608 2744 7lrrlxf.exe 38 PID 2744 wrote to memory of 2608 2744 7lrrlxf.exe 38 PID 2608 wrote to memory of 1292 2608 flffllx.exe 39 PID 2608 wrote to memory of 1292 2608 flffllx.exe 39 PID 2608 wrote to memory of 1292 2608 flffllx.exe 39 PID 2608 wrote to memory of 1292 2608 flffllx.exe 39 PID 1292 wrote to memory of 2392 1292 3nbttt.exe 40 PID 1292 wrote to memory of 2392 1292 3nbttt.exe 40 PID 1292 wrote to memory of 2392 1292 3nbttt.exe 40 PID 1292 wrote to memory of 2392 1292 3nbttt.exe 40 PID 2392 wrote to memory of 1976 2392 pvvdv.exe 41 PID 2392 wrote to memory of 1976 2392 pvvdv.exe 41 PID 2392 wrote to memory of 1976 2392 pvvdv.exe 41 PID 2392 wrote to memory of 1976 2392 pvvdv.exe 41 PID 1976 wrote to memory of 276 1976 llrfrxx.exe 42 PID 1976 wrote to memory of 276 1976 llrfrxx.exe 42 PID 1976 wrote to memory of 276 1976 llrfrxx.exe 42 PID 1976 wrote to memory of 276 1976 llrfrxx.exe 42 PID 276 wrote to memory of 2828 276 bbtbht.exe 43 PID 276 wrote to memory of 2828 276 bbtbht.exe 43 PID 276 wrote to memory of 2828 276 bbtbht.exe 43 PID 276 wrote to memory of 2828 276 bbtbht.exe 43 PID 2828 wrote to memory of 1164 2828 dvpjd.exe 44 PID 2828 wrote to memory of 1164 2828 dvpjd.exe 44 PID 2828 wrote to memory of 1164 2828 dvpjd.exe 44 PID 2828 wrote to memory of 1164 2828 dvpjd.exe 44 PID 1164 wrote to memory of 1304 1164 ppjvd.exe 45 PID 1164 wrote to memory of 1304 1164 ppjvd.exe 45 PID 1164 wrote to memory of 1304 1164 ppjvd.exe 45 PID 1164 wrote to memory of 1304 1164 ppjvd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\04587298a0bc845b48e67ccac795ec1a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04587298a0bc845b48e67ccac795ec1a_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\lffflff.exec:\lffflff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\xxrrfxr.exec:\xxrrfxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\nbthnb.exec:\nbthnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\vpdpd.exec:\vpdpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\fxxxrfl.exec:\fxxxrfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\7hbbht.exec:\7hbbht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\vvpjj.exec:\vvpjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\7lrrlxf.exec:\7lrrlxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\flffllx.exec:\flffllx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\3nbttt.exec:\3nbttt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\pvvdv.exec:\pvvdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\llrfrxx.exec:\llrfrxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\bbtbht.exec:\bbtbht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:276 -
\??\c:\dvpjd.exec:\dvpjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\ppjvd.exec:\ppjvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\3thhnt.exec:\3thhnt.exe17⤵
- Executes dropped EXE
PID:1304 -
\??\c:\9tnbbh.exec:\9tnbbh.exe18⤵
- Executes dropped EXE
PID:2888 -
\??\c:\ddvdd.exec:\ddvdd.exe19⤵
- Executes dropped EXE
PID:2032 -
\??\c:\rrxlxll.exec:\rrxlxll.exe20⤵
- Executes dropped EXE
PID:1768 -
\??\c:\bttbbn.exec:\bttbbn.exe21⤵
- Executes dropped EXE
PID:2940 -
\??\c:\ttnbbh.exec:\ttnbbh.exe22⤵
- Executes dropped EXE
PID:556 -
\??\c:\ddvjv.exec:\ddvjv.exe23⤵
- Executes dropped EXE
PID:108 -
\??\c:\3rrrlrf.exec:\3rrrlrf.exe24⤵
- Executes dropped EXE
PID:2128 -
\??\c:\bhntbh.exec:\bhntbh.exe25⤵
- Executes dropped EXE
PID:3012 -
\??\c:\5vjvj.exec:\5vjvj.exe26⤵
- Executes dropped EXE
PID:316 -
\??\c:\pdvjv.exec:\pdvjv.exe27⤵
- Executes dropped EXE
PID:2436 -
\??\c:\rrfllrx.exec:\rrfllrx.exe28⤵
- Executes dropped EXE
PID:2272 -
\??\c:\tnbhtn.exec:\tnbhtn.exe29⤵
- Executes dropped EXE
PID:2692 -
\??\c:\jpdjd.exec:\jpdjd.exe30⤵
- Executes dropped EXE
PID:1648 -
\??\c:\pjddp.exec:\pjddp.exe31⤵
- Executes dropped EXE
PID:2192 -
\??\c:\xrlrfll.exec:\xrlrfll.exe32⤵
- Executes dropped EXE
PID:2544 -
\??\c:\thbhnt.exec:\thbhnt.exe33⤵
- Executes dropped EXE
PID:2476 -
\??\c:\7nhbnb.exec:\7nhbnb.exe34⤵
- Executes dropped EXE
PID:1596 -
\??\c:\ddvdp.exec:\ddvdp.exe35⤵
- Executes dropped EXE
PID:2468 -
\??\c:\xxxlllx.exec:\xxxlllx.exe36⤵
- Executes dropped EXE
PID:2748 -
\??\c:\llfxlfx.exec:\llfxlfx.exe37⤵
- Executes dropped EXE
PID:2752 -
\??\c:\btttnt.exec:\btttnt.exe38⤵
- Executes dropped EXE
PID:2820 -
\??\c:\ddpdp.exec:\ddpdp.exe39⤵
- Executes dropped EXE
PID:2860 -
\??\c:\ddvjv.exec:\ddvjv.exe40⤵
- Executes dropped EXE
PID:2984 -
\??\c:\lxxxxfl.exec:\lxxxxfl.exe41⤵
- Executes dropped EXE
PID:2520 -
\??\c:\1flflrx.exec:\1flflrx.exe42⤵
- Executes dropped EXE
PID:2964 -
\??\c:\nhtbhn.exec:\nhtbhn.exe43⤵
- Executes dropped EXE
PID:2604 -
\??\c:\jdvvv.exec:\jdvvv.exe44⤵
- Executes dropped EXE
PID:2680 -
\??\c:\jvvvv.exec:\jvvvv.exe45⤵
- Executes dropped EXE
PID:1620 -
\??\c:\lffrrxx.exec:\lffrrxx.exe46⤵
- Executes dropped EXE
PID:2224 -
\??\c:\rfxlxfl.exec:\rfxlxfl.exe47⤵
- Executes dropped EXE
PID:1116 -
\??\c:\bbthtb.exec:\bbthtb.exe48⤵
- Executes dropped EXE
PID:1976 -
\??\c:\hbthhn.exec:\hbthhn.exe49⤵
- Executes dropped EXE
PID:1484 -
\??\c:\3djpv.exec:\3djpv.exe50⤵
- Executes dropped EXE
PID:1812 -
\??\c:\3rxxlrl.exec:\3rxxlrl.exe51⤵
- Executes dropped EXE
PID:2828 -
\??\c:\rlflxfl.exec:\rlflxfl.exe52⤵
- Executes dropped EXE
PID:1796 -
\??\c:\1tbhnb.exec:\1tbhnb.exe53⤵
- Executes dropped EXE
PID:2044 -
\??\c:\nnhbbn.exec:\nnhbbn.exe54⤵
- Executes dropped EXE
PID:1632 -
\??\c:\ppvjd.exec:\ppvjd.exe55⤵
- Executes dropped EXE
PID:1764 -
\??\c:\7lxfrlf.exec:\7lxfrlf.exe56⤵
- Executes dropped EXE
PID:3060 -
\??\c:\fxlfrxl.exec:\fxlfrxl.exe57⤵
- Executes dropped EXE
PID:2824 -
\??\c:\3tnhbt.exec:\3tnhbt.exe58⤵
- Executes dropped EXE
PID:1924 -
\??\c:\bbbnbh.exec:\bbbnbh.exe59⤵
- Executes dropped EXE
PID:2188 -
\??\c:\jdpdj.exec:\jdpdj.exe60⤵
- Executes dropped EXE
PID:1272 -
\??\c:\lrxllff.exec:\lrxllff.exe61⤵
- Executes dropped EXE
PID:236 -
\??\c:\fffrlxx.exec:\fffrlxx.exe62⤵
- Executes dropped EXE
PID:2432 -
\??\c:\btbthh.exec:\btbthh.exe63⤵
- Executes dropped EXE
PID:840 -
\??\c:\btnbbh.exec:\btnbbh.exe64⤵
- Executes dropped EXE
PID:836 -
\??\c:\tnbnbn.exec:\tnbnbn.exe65⤵
- Executes dropped EXE
PID:1536 -
\??\c:\9vpdj.exec:\9vpdj.exe66⤵PID:2156
-
\??\c:\llrffrr.exec:\llrffrr.exe67⤵PID:2152
-
\??\c:\frlxrll.exec:\frlxrll.exe68⤵PID:2968
-
\??\c:\nhthnh.exec:\nhthnh.exe69⤵PID:1004
-
\??\c:\tbbhtb.exec:\tbbhtb.exe70⤵PID:1748
-
\??\c:\vddjj.exec:\vddjj.exe71⤵PID:2088
-
\??\c:\rffxlxr.exec:\rffxlxr.exe72⤵PID:2132
-
\??\c:\lxfflrf.exec:\lxfflrf.exe73⤵PID:2544
-
\??\c:\ntntbh.exec:\ntntbh.exe74⤵PID:2332
-
\??\c:\7bhtth.exec:\7bhtth.exe75⤵PID:2492
-
\??\c:\9dpdv.exec:\9dpdv.exe76⤵PID:2472
-
\??\c:\5frrrlf.exec:\5frrrlf.exe77⤵PID:2756
-
\??\c:\rlrrrxf.exec:\rlrrrxf.exe78⤵PID:2864
-
\??\c:\bnhbhb.exec:\bnhbhb.exe79⤵PID:2612
-
\??\c:\3bhhbb.exec:\3bhhbb.exe80⤵PID:2768
-
\??\c:\hbnnhn.exec:\hbnnhn.exe81⤵PID:2632
-
\??\c:\vjdjv.exec:\vjdjv.exe82⤵PID:2644
-
\??\c:\vpdjv.exec:\vpdjv.exe83⤵PID:2856
-
\??\c:\1rfffll.exec:\1rfffll.exe84⤵PID:2636
-
\??\c:\fxrxrlx.exec:\fxrxrlx.exe85⤵PID:2316
-
\??\c:\htnhhn.exec:\htnhhn.exe86⤵PID:2256
-
\??\c:\vvpjd.exec:\vvpjd.exe87⤵PID:2232
-
\??\c:\dvpdp.exec:\dvpdp.exe88⤵PID:2392
-
\??\c:\xrflrfl.exec:\xrflrfl.exe89⤵PID:1868
-
\??\c:\xrlfxlf.exec:\xrlfxlf.exe90⤵PID:2904
-
\??\c:\bbthnh.exec:\bbthnh.exe91⤵PID:1740
-
\??\c:\1tnthh.exec:\1tnthh.exe92⤵PID:1732
-
\??\c:\jddpp.exec:\jddpp.exe93⤵PID:1720
-
\??\c:\jdvdv.exec:\jdvdv.exe94⤵PID:2360
-
\??\c:\9xxrrxx.exec:\9xxrrxx.exe95⤵PID:1336
-
\??\c:\xxrfrfx.exec:\xxrfrfx.exe96⤵PID:2908
-
\??\c:\bbnttt.exec:\bbnttt.exe97⤵PID:2972
-
\??\c:\nhbntn.exec:\nhbntn.exe98⤵PID:2952
-
\??\c:\pddvj.exec:\pddvj.exe99⤵PID:2416
-
\??\c:\pdjdj.exec:\pdjdj.exe100⤵PID:2212
-
\??\c:\rrfflll.exec:\rrfflll.exe101⤵PID:2336
-
\??\c:\fxlxlrf.exec:\fxlxlrf.exe102⤵PID:3064
-
\??\c:\tnhttb.exec:\tnhttb.exe103⤵PID:404
-
\??\c:\bthnbh.exec:\bthnbh.exe104⤵PID:1824
-
\??\c:\5ppvp.exec:\5ppvp.exe105⤵PID:3004
-
\??\c:\xrlfrrx.exec:\xrlfrrx.exe106⤵PID:1228
-
\??\c:\lfrxflx.exec:\lfrxflx.exe107⤵PID:2136
-
\??\c:\tbhbnh.exec:\tbhbnh.exe108⤵PID:1696
-
\??\c:\bttnth.exec:\bttnth.exe109⤵PID:1500
-
\??\c:\pddvp.exec:\pddvp.exe110⤵PID:888
-
\??\c:\vppvj.exec:\vppvj.exe111⤵PID:1240
-
\??\c:\lxllffl.exec:\lxllffl.exe112⤵PID:3020
-
\??\c:\7rflxxl.exec:\7rflxxl.exe113⤵PID:2976
-
\??\c:\thttnt.exec:\thttnt.exe114⤵PID:2312
-
\??\c:\5hbtth.exec:\5hbtth.exe115⤵PID:696
-
\??\c:\jdvdv.exec:\jdvdv.exe116⤵PID:884
-
\??\c:\rxfrrxx.exec:\rxfrrxx.exe117⤵PID:1568
-
\??\c:\fllxxxl.exec:\fllxxxl.exe118⤵PID:2456
-
\??\c:\bbbhht.exec:\bbbhht.exe119⤵PID:2804
-
\??\c:\tnnthn.exec:\tnnthn.exe120⤵PID:2764
-
\??\c:\pjdpd.exec:\pjdpd.exe121⤵PID:2736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-