Malware Analysis Report

2024-09-22 21:55

Sample ID 240728-ze4gcstbjm
Target 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118
SHA256 f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2
Tags
azorult oski raccoon 236c7f8a01d741b888dc6b6209805e66d41e62ba credential_access discovery infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2

Threat Level: Known bad

The file 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

azorult oski raccoon 236c7f8a01d741b888dc6b6209805e66d41e62ba credential_access discovery infostealer spyware stealer trojan

Azorult

Raccoon

Oski

Raccoon Stealer V1 payload

Credentials from Password Stores: Credentials from Web Browsers

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-28 20:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-28 20:38

Reported

2024-07-30 04:23

Platform

win10v2004-20240709-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe"

Signatures

Azorult

trojan infostealer azorult

Oski

infostealer oski

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
PID 3356 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
PID 3356 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
PID 3356 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
PID 3356 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
PID 3356 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
PID 3356 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
PID 3356 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
PID 3356 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
PID 3356 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
PID 3808 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
PID 3808 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
PID 3808 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
PID 3808 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
PID 3872 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
PID 3872 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
PID 3872 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
PID 3872 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe

"C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"

C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe

"C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"

C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe

"C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"

C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe

"C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2128 -ip 2128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1304

Network

Country Destination Domain Proto
US 8.8.8.8:53 telete.in udp
US 199.59.243.226:443 telete.in tcp
US 8.8.8.8:53 nadia.ac.ug udp
US 8.8.8.8:53 ferreira.ac.ug udp
US 8.8.8.8:53 ferreira.ac.ug udp
US 8.8.8.8:53 226.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 199.59.243.226:443 telete.in tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 199.59.243.226:443 telete.in tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 199.59.243.226:443 telete.in tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 199.59.243.226:443 telete.in tcp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 199.59.243.226:443 telete.in tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp

Files

memory/3356-2-0x0000000077872000-0x0000000077873000-memory.dmp

memory/3356-3-0x0000000000620000-0x0000000000621000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe

MD5 ce9ef402a6bb862ee9320dbdff92724c
SHA1 5a5f67412735e2be4f21d184ab6cc2c427eba389
SHA256 7c95dcd99bc8274293fc772afe6ad67ba2dccadb671dad68ee9fe5898ff25ea6
SHA512 8d38528418d2f260f5699456bc0525dbefe047be233ac5b3a735836f0810227821acf05a78200fd48592117906acc04e9c30d66f3d51be87e91512bcbffd0048

C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe

MD5 e22eec453d5d077fecdc1fe9ead85a16
SHA1 fdca78352ec06d5b695db0ad3b8c4acb8ba965ba
SHA256 a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1
SHA512 24e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f

memory/2272-32-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2272-33-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2272-31-0x0000000000400000-0x0000000000498000-memory.dmp

memory/3808-30-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/3872-40-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3808-39-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2272-38-0x0000000000400000-0x0000000000493000-memory.dmp

memory/2272-37-0x0000000000400000-0x0000000000498000-memory.dmp

memory/3808-29-0x0000000077872000-0x0000000077873000-memory.dmp

memory/3356-28-0x0000000003610000-0x0000000003617000-memory.dmp

memory/5004-41-0x0000000000400000-0x0000000000425000-memory.dmp

memory/5004-47-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5004-46-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5004-44-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3808-48-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2128-49-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2128-51-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3872-52-0x0000000000400000-0x000000000043D000-memory.dmp

memory/5004-56-0x0000000000400000-0x0000000000425000-memory.dmp

memory/5004-58-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2128-59-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2128-61-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 20:38

Reported

2024-07-30 04:26

Platform

win7-20240705-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe"

Signatures

Azorult

trojan infostealer azorult

Oski

infostealer oski

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
PID 1460 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
PID 1460 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
PID 1460 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
PID 1460 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
PID 1460 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
PID 1460 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
PID 1460 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
PID 1460 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
PID 1460 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
PID 1460 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
PID 1460 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
PID 1460 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
PID 1988 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
PID 1988 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
PID 1988 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
PID 1988 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
PID 1988 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
PID 2912 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
PID 2912 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
PID 2912 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
PID 2912 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
PID 2912 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
PID 2880 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe C:\Windows\SysWOW64\WerFault.exe
PID 2880 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe C:\Windows\SysWOW64\WerFault.exe
PID 2880 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe C:\Windows\SysWOW64\WerFault.exe
PID 2880 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe

"C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"

C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe

"C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"

C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe

"C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"

C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe

"C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 784

Network

Country Destination Domain Proto
US 8.8.8.8:53 telete.in udp
US 199.59.243.226:443 telete.in tcp
US 8.8.8.8:53 nadia.ac.ug udp
US 8.8.8.8:53 ferreira.ac.ug udp
US 199.59.243.226:443 telete.in tcp
US 8.8.8.8:53 ferreira.ac.ug udp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp
US 199.59.243.226:443 telete.in tcp

Files

memory/1460-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe

MD5 ce9ef402a6bb862ee9320dbdff92724c
SHA1 5a5f67412735e2be4f21d184ab6cc2c427eba389
SHA256 7c95dcd99bc8274293fc772afe6ad67ba2dccadb671dad68ee9fe5898ff25ea6
SHA512 8d38528418d2f260f5699456bc0525dbefe047be233ac5b3a735836f0810227821acf05a78200fd48592117906acc04e9c30d66f3d51be87e91512bcbffd0048

memory/1460-21-0x0000000001ED0000-0x0000000001ED7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe

MD5 e22eec453d5d077fecdc1fe9ead85a16
SHA1 fdca78352ec06d5b695db0ad3b8c4acb8ba965ba
SHA256 a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1
SHA512 24e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f

memory/1460-34-0x0000000001ED0000-0x0000000001ED7000-memory.dmp

memory/2716-32-0x0000000000400000-0x0000000000493000-memory.dmp

memory/2716-31-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2716-29-0x0000000000400000-0x0000000000498000-memory.dmp

memory/2716-25-0x0000000000400000-0x0000000000498000-memory.dmp

memory/1988-26-0x0000000000240000-0x0000000000248000-memory.dmp

memory/1988-24-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2912-35-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1988-40-0x0000000000240000-0x0000000000248000-memory.dmp

memory/2880-38-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2880-41-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2976-45-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2976-47-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2912-49-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2976-50-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2976-51-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2716-52-0x0000000000400000-0x0000000000493000-memory.dmp

memory/2880-53-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2880-61-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2716-62-0x0000000000400000-0x0000000000498000-memory.dmp