Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
28/07/2024, 01:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
04587298a0bc845b48e67ccac795ec1a_JaffaCakes118.exe
Resource
win7-20240705-en
6 signatures
150 seconds
General
-
Target
04587298a0bc845b48e67ccac795ec1a_JaffaCakes118.exe
-
Size
194KB
-
MD5
04587298a0bc845b48e67ccac795ec1a
-
SHA1
aa096b7bee01d94e2a84826bf7114a08f18050d6
-
SHA256
c0516f6414c6f10eeb7818bf1bf1acf748df22c69fafd5314cdf4e76761b7da2
-
SHA512
9432f8d0f21bd6d6f92b848a0bc3fe23ab2dbbd68e6a86bab829ab8760d7d0a8f891082f102221a4544790bce7c940b313ecddf232fe705b21afe1fd74e13115
-
SSDEEP
1536:EvQBeOGtrYSSsrc93UBIfdC67m6AJiqjt3ufT/FRxZOYrDNDLI03:EhOm2sI93UufdC67ciyt3ujFf7rJDk03
Malware Config
Signatures
-
Detect Blackmoon payload 60 IoCs
resource yara_rule behavioral2/memory/4160-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-687-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-791-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-819-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3016 jdjjv.exe 1000 rflllrr.exe 1204 btnnnt.exe 3936 vdddp.exe 1404 rrxxxll.exe 884 tbthnn.exe 2076 djjdd.exe 3204 ffrxxfx.exe 3008 jjddd.exe 3024 3vddj.exe 1572 ffrrflf.exe 4448 bbttnn.exe 2580 djpjp.exe 1496 llfxflf.exe 3760 hhnbtt.exe 2872 pjjjj.exe 5040 bhnnnn.exe 436 hbthhn.exe 3348 rrllrrr.exe 2944 tnbbnb.exe 5088 jvdvv.exe 1252 tnhbtn.exe 4676 nbbbtb.exe 1700 ppvvv.exe 4292 rxffffl.exe 2020 hbbbtt.exe 2128 rfrlrrl.exe 4280 hbhhhh.exe 4632 vdpvj.exe 4344 bhttbh.exe 3796 htbbtb.exe 3464 9vvvv.exe 4360 llrxfrx.exe 4780 7hhnth.exe 3256 vvjdd.exe 2260 fxxxrrr.exe 4372 bttttb.exe 5112 vdjdj.exe 2256 lrxxxff.exe 3248 vjpjp.exe 4108 9pvjp.exe 1028 hbtbtb.exe 1572 vppvj.exe 5084 lfxllxf.exe 3444 tbhbnt.exe 2044 vjpjj.exe 1680 jdjpd.exe 4284 ffxxfll.exe 3676 hhhbtb.exe 1980 jdjjp.exe 2952 hhbhhn.exe 968 pdjpj.exe 3504 fffxrlr.exe 2784 llllflx.exe 1964 9nnnnh.exe 4856 jddjj.exe 3280 lllfrxx.exe 1340 5htttt.exe 4024 jvjdj.exe 4672 jvvvd.exe 4432 3lrlllr.exe 2916 thbtnn.exe 1876 ttntnh.exe 4864 djpvv.exe -
resource yara_rule behavioral2/memory/4160-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-418-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lfxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfflllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffflxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4160 wrote to memory of 3016 4160 04587298a0bc845b48e67ccac795ec1a_JaffaCakes118.exe 84 PID 4160 wrote to memory of 3016 4160 04587298a0bc845b48e67ccac795ec1a_JaffaCakes118.exe 84 PID 4160 wrote to memory of 3016 4160 04587298a0bc845b48e67ccac795ec1a_JaffaCakes118.exe 84 PID 3016 wrote to memory of 1000 3016 jdjjv.exe 85 PID 3016 wrote to memory of 1000 3016 jdjjv.exe 85 PID 3016 wrote to memory of 1000 3016 jdjjv.exe 85 PID 1000 wrote to memory of 1204 1000 rflllrr.exe 86 PID 1000 wrote to memory of 1204 1000 rflllrr.exe 86 PID 1000 wrote to memory of 1204 1000 rflllrr.exe 86 PID 1204 wrote to memory of 3936 1204 btnnnt.exe 87 PID 1204 wrote to memory of 3936 1204 btnnnt.exe 87 PID 1204 wrote to memory of 3936 1204 btnnnt.exe 87 PID 3936 wrote to memory of 1404 3936 vdddp.exe 88 PID 3936 wrote to memory of 1404 3936 vdddp.exe 88 PID 3936 wrote to memory of 1404 3936 vdddp.exe 88 PID 1404 wrote to memory of 884 1404 rrxxxll.exe 89 PID 1404 wrote to memory of 884 1404 rrxxxll.exe 89 PID 1404 wrote to memory of 884 1404 rrxxxll.exe 89 PID 884 wrote to memory of 2076 884 tbthnn.exe 90 PID 884 wrote to memory of 2076 884 tbthnn.exe 90 PID 884 wrote to memory of 2076 884 tbthnn.exe 90 PID 2076 wrote to memory of 3204 2076 djjdd.exe 172 PID 2076 wrote to memory of 3204 2076 djjdd.exe 172 PID 2076 wrote to memory of 3204 2076 djjdd.exe 172 PID 3204 wrote to memory of 3008 3204 ffrxxfx.exe 93 PID 3204 wrote to memory of 3008 3204 ffrxxfx.exe 93 PID 3204 wrote to memory of 3008 3204 ffrxxfx.exe 93 PID 3008 wrote to memory of 3024 3008 jjddd.exe 94 PID 3008 wrote to memory of 3024 3008 jjddd.exe 94 PID 3008 wrote to memory of 3024 3008 jjddd.exe 94 PID 3024 wrote to memory of 1572 3024 3vddj.exe 130 PID 3024 wrote to memory of 1572 3024 3vddj.exe 130 PID 3024 wrote to memory of 1572 3024 3vddj.exe 130 PID 1572 wrote to memory of 4448 1572 ffrrflf.exe 96 PID 1572 wrote to memory of 4448 1572 ffrrflf.exe 96 PID 1572 wrote to memory of 4448 1572 ffrrflf.exe 96 PID 4448 wrote to memory of 2580 4448 bbttnn.exe 98 PID 4448 wrote to memory of 2580 4448 bbttnn.exe 98 PID 4448 wrote to memory of 2580 4448 bbttnn.exe 98 PID 2580 wrote to memory of 1496 2580 djpjp.exe 99 PID 2580 wrote to memory of 1496 2580 djpjp.exe 99 PID 2580 wrote to memory of 1496 2580 djpjp.exe 99 PID 1496 wrote to memory of 3760 1496 llfxflf.exe 100 PID 1496 wrote to memory of 3760 1496 llfxflf.exe 100 PID 1496 wrote to memory of 3760 1496 llfxflf.exe 100 PID 3760 wrote to memory of 2872 3760 hhnbtt.exe 102 PID 3760 wrote to memory of 2872 3760 hhnbtt.exe 102 PID 3760 wrote to memory of 2872 3760 hhnbtt.exe 102 PID 2872 wrote to memory of 5040 2872 pjjjj.exe 103 PID 2872 wrote to memory of 5040 2872 pjjjj.exe 103 PID 2872 wrote to memory of 5040 2872 pjjjj.exe 103 PID 5040 wrote to memory of 436 5040 bhnnnn.exe 104 PID 5040 wrote to memory of 436 5040 bhnnnn.exe 104 PID 5040 wrote to memory of 436 5040 bhnnnn.exe 104 PID 436 wrote to memory of 3348 436 hbthhn.exe 105 PID 436 wrote to memory of 3348 436 hbthhn.exe 105 PID 436 wrote to memory of 3348 436 hbthhn.exe 105 PID 3348 wrote to memory of 2944 3348 rrllrrr.exe 106 PID 3348 wrote to memory of 2944 3348 rrllrrr.exe 106 PID 3348 wrote to memory of 2944 3348 rrllrrr.exe 106 PID 2944 wrote to memory of 5088 2944 tnbbnb.exe 107 PID 2944 wrote to memory of 5088 2944 tnbbnb.exe 107 PID 2944 wrote to memory of 5088 2944 tnbbnb.exe 107 PID 5088 wrote to memory of 1252 5088 jvdvv.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\04587298a0bc845b48e67ccac795ec1a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04587298a0bc845b48e67ccac795ec1a_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\jdjjv.exec:\jdjjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\rflllrr.exec:\rflllrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\btnnnt.exec:\btnnnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\vdddp.exec:\vdddp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\rrxxxll.exec:\rrxxxll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\tbthnn.exec:\tbthnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\djjdd.exec:\djjdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\ffrxxfx.exec:\ffrxxfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\jjddd.exec:\jjddd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\3vddj.exec:\3vddj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\ffrrflf.exec:\ffrrflf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\bbttnn.exec:\bbttnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\djpjp.exec:\djpjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\llfxflf.exec:\llfxflf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\hhnbtt.exec:\hhnbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\pjjjj.exec:\pjjjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\bhnnnn.exec:\bhnnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\hbthhn.exec:\hbthhn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\rrllrrr.exec:\rrllrrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\tnbbnb.exec:\tnbbnb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\jvdvv.exec:\jvdvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\tnhbtn.exec:\tnhbtn.exe23⤵
- Executes dropped EXE
PID:1252 -
\??\c:\nbbbtb.exec:\nbbbtb.exe24⤵
- Executes dropped EXE
PID:4676 -
\??\c:\ppvvv.exec:\ppvvv.exe25⤵
- Executes dropped EXE
PID:1700 -
\??\c:\rxffffl.exec:\rxffffl.exe26⤵
- Executes dropped EXE
PID:4292 -
\??\c:\hbbbtt.exec:\hbbbtt.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2020 -
\??\c:\rfrlrrl.exec:\rfrlrrl.exe28⤵
- Executes dropped EXE
PID:2128 -
\??\c:\hbhhhh.exec:\hbhhhh.exe29⤵
- Executes dropped EXE
PID:4280 -
\??\c:\vdpvj.exec:\vdpvj.exe30⤵
- Executes dropped EXE
PID:4632 -
\??\c:\bhttbh.exec:\bhttbh.exe31⤵
- Executes dropped EXE
PID:4344 -
\??\c:\htbbtb.exec:\htbbtb.exe32⤵
- Executes dropped EXE
PID:3796 -
\??\c:\9vvvv.exec:\9vvvv.exe33⤵
- Executes dropped EXE
PID:3464 -
\??\c:\llrxfrx.exec:\llrxfrx.exe34⤵
- Executes dropped EXE
PID:4360 -
\??\c:\7hhnth.exec:\7hhnth.exe35⤵
- Executes dropped EXE
PID:4780 -
\??\c:\vvjdd.exec:\vvjdd.exe36⤵
- Executes dropped EXE
PID:3256 -
\??\c:\fxxxrrr.exec:\fxxxrrr.exe37⤵
- Executes dropped EXE
PID:2260 -
\??\c:\bttttb.exec:\bttttb.exe38⤵
- Executes dropped EXE
PID:4372 -
\??\c:\vdjdj.exec:\vdjdj.exe39⤵
- Executes dropped EXE
PID:5112 -
\??\c:\lrxxxff.exec:\lrxxxff.exe40⤵
- Executes dropped EXE
PID:2256 -
\??\c:\vjpjp.exec:\vjpjp.exe41⤵
- Executes dropped EXE
PID:3248 -
\??\c:\9pvjp.exec:\9pvjp.exe42⤵
- Executes dropped EXE
PID:4108 -
\??\c:\hbtbtb.exec:\hbtbtb.exe43⤵
- Executes dropped EXE
PID:1028 -
\??\c:\vppvj.exec:\vppvj.exe44⤵
- Executes dropped EXE
PID:1572 -
\??\c:\lfxllxf.exec:\lfxllxf.exe45⤵
- Executes dropped EXE
PID:5084 -
\??\c:\tbhbnt.exec:\tbhbnt.exe46⤵
- Executes dropped EXE
PID:3444 -
\??\c:\vjpjj.exec:\vjpjj.exe47⤵
- Executes dropped EXE
PID:2044 -
\??\c:\jdjpd.exec:\jdjpd.exe48⤵
- Executes dropped EXE
PID:1680 -
\??\c:\ffxxfll.exec:\ffxxfll.exe49⤵
- Executes dropped EXE
PID:4284 -
\??\c:\hhhbtb.exec:\hhhbtb.exe50⤵
- Executes dropped EXE
PID:3676 -
\??\c:\jdjjp.exec:\jdjjp.exe51⤵
- Executes dropped EXE
PID:1980 -
\??\c:\hhbhhn.exec:\hhbhhn.exe52⤵
- Executes dropped EXE
PID:2952 -
\??\c:\pdjpj.exec:\pdjpj.exe53⤵
- Executes dropped EXE
PID:968 -
\??\c:\fffxrlr.exec:\fffxrlr.exe54⤵
- Executes dropped EXE
PID:3504 -
\??\c:\llllflx.exec:\llllflx.exe55⤵
- Executes dropped EXE
PID:2784 -
\??\c:\9nnnnh.exec:\9nnnnh.exe56⤵
- Executes dropped EXE
PID:1964 -
\??\c:\jddjj.exec:\jddjj.exe57⤵
- Executes dropped EXE
PID:4856 -
\??\c:\lllfrxx.exec:\lllfrxx.exe58⤵
- Executes dropped EXE
PID:3280 -
\??\c:\5htttt.exec:\5htttt.exe59⤵
- Executes dropped EXE
PID:1340 -
\??\c:\jvjdj.exec:\jvjdj.exe60⤵
- Executes dropped EXE
PID:4024 -
\??\c:\jvvvd.exec:\jvvvd.exe61⤵
- Executes dropped EXE
PID:4672 -
\??\c:\3lrlllr.exec:\3lrlllr.exe62⤵
- Executes dropped EXE
PID:4432 -
\??\c:\thbtnn.exec:\thbtnn.exe63⤵
- Executes dropped EXE
PID:2916 -
\??\c:\ttntnh.exec:\ttntnh.exe64⤵
- Executes dropped EXE
PID:1876 -
\??\c:\djpvv.exec:\djpvv.exe65⤵
- Executes dropped EXE
PID:4864 -
\??\c:\5lrrrxx.exec:\5lrrrxx.exe66⤵PID:3956
-
\??\c:\rrrrxxf.exec:\rrrrxxf.exe67⤵PID:4144
-
\??\c:\htthtt.exec:\htthtt.exe68⤵PID:1592
-
\??\c:\pdjjj.exec:\pdjjj.exe69⤵PID:2848
-
\??\c:\lxfflrr.exec:\lxfflrr.exe70⤵PID:4716
-
\??\c:\hbbbbh.exec:\hbbbbh.exe71⤵PID:4868
-
\??\c:\jppvd.exec:\jppvd.exe72⤵PID:4544
-
\??\c:\xfxrrrx.exec:\xfxrrrx.exe73⤵PID:1144
-
\??\c:\bnnbtn.exec:\bnnbtn.exe74⤵PID:2688
-
\??\c:\1bhntb.exec:\1bhntb.exe75⤵PID:4996
-
\??\c:\jddvp.exec:\jddvp.exe76⤵PID:3964
-
\??\c:\rfxfrxl.exec:\rfxfrxl.exe77⤵PID:4152
-
\??\c:\nhhbhh.exec:\nhhbhh.exe78⤵PID:3256
-
\??\c:\rrrxxxx.exec:\rrrxxxx.exe79⤵PID:2084
-
\??\c:\tnntnt.exec:\tnntnt.exe80⤵PID:2136
-
\??\c:\vjdjj.exec:\vjdjj.exe81⤵PID:4960
-
\??\c:\llffxff.exec:\llffxff.exe82⤵PID:1604
-
\??\c:\bnhnnn.exec:\bnhnnn.exe83⤵PID:4644
-
\??\c:\jvvvp.exec:\jvvvp.exe84⤵PID:5028
-
\??\c:\rlfxrlx.exec:\rlfxrlx.exe85⤵PID:4536
-
\??\c:\tbbtbh.exec:\tbbtbh.exe86⤵PID:3204
-
\??\c:\jdvpp.exec:\jdvpp.exe87⤵PID:1028
-
\??\c:\xfrfrlf.exec:\xfrfrlf.exe88⤵PID:3608
-
\??\c:\bhbthh.exec:\bhbthh.exe89⤵PID:4984
-
\??\c:\3jppv.exec:\3jppv.exe90⤵PID:3004
-
\??\c:\xfflfxl.exec:\xfflfxl.exe91⤵PID:3604
-
\??\c:\nthnbn.exec:\nthnbn.exe92⤵PID:1316
-
\??\c:\dpjpj.exec:\dpjpj.exe93⤵PID:4824
-
\??\c:\pvvdj.exec:\pvvdj.exe94⤵PID:4284
-
\??\c:\rffffrl.exec:\rffffrl.exe95⤵PID:3224
-
\??\c:\hhtttb.exec:\hhtttb.exe96⤵PID:2620
-
\??\c:\jjppj.exec:\jjppj.exe97⤵PID:5092
-
\??\c:\djpvd.exec:\djpvd.exe98⤵PID:4100
-
\??\c:\fffrrll.exec:\fffrrll.exe99⤵PID:512
-
\??\c:\xfxxrrr.exec:\xfxxrrr.exe100⤵PID:1588
-
\??\c:\nnhbtt.exec:\nnhbtt.exe101⤵PID:4164
-
\??\c:\vvvdv.exec:\vvvdv.exe102⤵PID:1944
-
\??\c:\dpjvp.exec:\dpjvp.exe103⤵PID:4232
-
\??\c:\rxxrrfx.exec:\rxxrrfx.exe104⤵PID:532
-
\??\c:\bbntnh.exec:\bbntnh.exe105⤵PID:2196
-
\??\c:\hhbbtb.exec:\hhbbtb.exe106⤵PID:3564
-
\??\c:\dvddv.exec:\dvddv.exe107⤵PID:4024
-
\??\c:\fflllrr.exec:\fflllrr.exe108⤵PID:1648
-
\??\c:\tttnbh.exec:\tttnbh.exe109⤵
- System Location Discovery: System Language Discovery
PID:4920 -
\??\c:\httttt.exec:\httttt.exe110⤵PID:1328
-
\??\c:\vjpvd.exec:\vjpvd.exe111⤵PID:1128
-
\??\c:\fllffll.exec:\fllffll.exe112⤵PID:3948
-
\??\c:\thtttb.exec:\thtttb.exe113⤵PID:1140
-
\??\c:\bbbbbh.exec:\bbbbbh.exe114⤵PID:4796
-
\??\c:\dvjdv.exec:\dvjdv.exe115⤵PID:3424
-
\??\c:\jdjjd.exec:\jdjjd.exe116⤵PID:4648
-
\??\c:\flrxxxf.exec:\flrxxxf.exe117⤵PID:4716
-
\??\c:\bnhbnn.exec:\bnhbnn.exe118⤵PID:3220
-
\??\c:\3httbb.exec:\3httbb.exe119⤵PID:1608
-
\??\c:\rllfffx.exec:\rllfffx.exe120⤵PID:2464
-
\??\c:\nnhttb.exec:\nnhttb.exe121⤵
- System Location Discovery: System Language Discovery
PID:3848 -
\??\c:\5jjjd.exec:\5jjjd.exe122⤵PID:4360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-