Analysis Overview
SHA256
89eb5aad487deeac212763db390216c91f1e4ec8a908cdcb2b6c37b82c059e2d
Threat Level: Known bad
The file b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
UPX packed file
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-22 19:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-22 19:09
Reported
2024-08-22 19:11
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IO2JYPO7-86DR-34E2-36U8-JAWC7JQF0G5Y} | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IO2JYPO7-86DR-34E2-36U8-JAWC7JQF0G5Y}\StubPath = "C:\\Windows\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IO2JYPO7-86DR-34E2-36U8-JAWC7JQF0G5Y} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IO2JYPO7-86DR-34E2-36U8-JAWC7JQF0G5Y}\StubPath = "C:\\Windows\\install\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4024 set thread context of 1108 | N/A | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| File opened for modification | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE
"C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE
"C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blessout.no-ip.biz | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blessout.no-ip.biz | udp |
| US | 8.8.8.8:53 | blessout.no-ip.biz | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blessout.no-ip.biz | udp |
| US | 8.8.8.8:53 | blessout.no-ip.biz | udp |
| US | 8.8.8.8:53 | blessout.no-ip.biz | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blessout.no-ip.biz | udp |
| US | 8.8.8.8:53 | blessout.no-ip.biz | udp |
| US | 8.8.8.8:53 | blessout.no-ip.biz | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blessout.no-ip.biz | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | blessout.no-ip.biz | udp |
| US | 8.8.8.8:53 | blessout.no-ip.biz | udp |
| US | 8.8.8.8:53 | blessout.no-ip.biz | udp |
| US | 8.8.8.8:53 | blessout.no-ip.biz | udp |
| US | 8.8.8.8:53 | blessout.no-ip.biz | udp |
Files
memory/4024-0-0x0000000000400000-0x0000000000507200-memory.dmp
memory/4024-1-0x00000000001C0000-0x00000000001C3000-memory.dmp
memory/1108-6-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1108-7-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1108-9-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1108-14-0x0000000024010000-0x0000000024051000-memory.dmp
memory/1108-11-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4024-10-0x0000000000400000-0x0000000000507200-memory.dmp
memory/1108-18-0x0000000024060000-0x00000000240A1000-memory.dmp
memory/2020-20-0x0000000000460000-0x0000000000461000-memory.dmp
memory/2020-19-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/1108-35-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1108-64-0x0000000024060000-0x00000000240A1000-memory.dmp
memory/2020-67-0x0000000002FB0000-0x0000000002FB1000-memory.dmp
memory/2020-68-0x0000000024060000-0x00000000240A1000-memory.dmp
memory/2020-69-0x0000000024060000-0x00000000240A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 871884912354e8dc2e13b32c8ace66dc |
| SHA1 | e8270d3f78a6f5cd14cc859d3c18effaf22bff9d |
| SHA256 | 217506c4fd2ae9aef385219496b39424fa628884fedf89b8fde4aa3f78a99874 |
| SHA512 | 082907fc28a844f850a9ce85e091efca0bdbdf65c9eb66bc0026112600efd8d9cb4667daa70338618369043cbf30d365e9022b14a87ba81158b7d073f54d0138 |
C:\Windows\install\server.exe
| MD5 | b8ca92614a8464b07a5a01b219e7f919 |
| SHA1 | fcb72a8a80089088e65468a1ec74e31c105a144a |
| SHA256 | 89eb5aad487deeac212763db390216c91f1e4ec8a908cdcb2b6c37b82c059e2d |
| SHA512 | 24221c2682cc51c98adb2e9fb050c4ab5f9c1fbec7b8524a34ea063ca3bb161d06c0da03f99e104705d5f7d2959e56fe4c317beacd2c3d50dd741ce964a36c01 |
memory/1108-76-0x0000000024100000-0x0000000024141000-memory.dmp
memory/1108-73-0x00000000240B0000-0x00000000240F1000-memory.dmp
memory/1108-128-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3284-131-0x0000000024100000-0x0000000024141000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | 4362e21af8686f5ebba224768d292a5b |
| SHA1 | 504510a4d10e230dcd1605ab3342525b38a10933 |
| SHA256 | b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3 |
| SHA512 | f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850 |
memory/2020-150-0x0000000024060000-0x00000000240A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UuU.uUu
| MD5 | 9e1bad898a40a752b019b61c74f7a67a |
| SHA1 | 2b20425ecdb27ec050a2ce65b1d7e7d41030c81a |
| SHA256 | bcc3e755b1272fdedfcb9fe29a2ac4e967cb2095e14d98f138fb8d5fa1f0dadd |
| SHA512 | d81742dab3c34dea53f8f5a61ae514322abc2666bb2be9d75dbd11fa45dbc51eb1e4d2536a0ff6720090878303d8abdf52ab5e7360f628e0770e11abcbce38ec |
memory/3284-162-0x0000000024100000-0x0000000024141000-memory.dmp
memory/3284-232-0x0000000000400000-0x0000000000507200-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-22 19:09
Reported
2024-08-22 19:11
Platform
win7-20240704-en
Max time kernel
148s
Max time network
118s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{IO2JYPO7-86DR-34E2-36U8-JAWC7JQF0G5Y} | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{IO2JYPO7-86DR-34E2-36U8-JAWC7JQF0G5Y}\StubPath = "C:\\Windows\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{IO2JYPO7-86DR-34E2-36U8-JAWC7JQF0G5Y} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{IO2JYPO7-86DR-34E2-36U8-JAWC7JQF0G5Y}\StubPath = "C:\\Windows\\install\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2756 set thread context of 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| File opened for modification | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE
"C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE
"C:\Users\Admin\AppData\Local\Temp\b8ca92614a8464b07a5a01b219e7f919_JaffaCakes118.EXE"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | blessout.no-ip.biz | udp |
Files
memory/2756-0-0x0000000000400000-0x0000000000507200-memory.dmp
memory/2756-1-0x0000000000020000-0x0000000000023000-memory.dmp
memory/2952-4-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1208-16-0x0000000002D60000-0x0000000002D61000-memory.dmp
memory/2952-15-0x0000000024010000-0x0000000024051000-memory.dmp
memory/2952-12-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2952-11-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2952-10-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2756-9-0x0000000000400000-0x0000000000507200-memory.dmp
memory/2756-7-0x00000000029E0000-0x0000000002AE8000-memory.dmp
memory/1676-203-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/1676-205-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2952-259-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1676-424-0x0000000024060000-0x00000000240A1000-memory.dmp
C:\Windows\install\server.exe
| MD5 | b8ca92614a8464b07a5a01b219e7f919 |
| SHA1 | fcb72a8a80089088e65468a1ec74e31c105a144a |
| SHA256 | 89eb5aad487deeac212763db390216c91f1e4ec8a908cdcb2b6c37b82c059e2d |
| SHA512 | 24221c2682cc51c98adb2e9fb050c4ab5f9c1fbec7b8524a34ea063ca3bb161d06c0da03f99e104705d5f7d2959e56fe4c317beacd2c3d50dd741ce964a36c01 |
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 871884912354e8dc2e13b32c8ace66dc |
| SHA1 | e8270d3f78a6f5cd14cc859d3c18effaf22bff9d |
| SHA256 | 217506c4fd2ae9aef385219496b39424fa628884fedf89b8fde4aa3f78a99874 |
| SHA512 | 082907fc28a844f850a9ce85e091efca0bdbdf65c9eb66bc0026112600efd8d9cb4667daa70338618369043cbf30d365e9022b14a87ba81158b7d073f54d0138 |
memory/2272-447-0x0000000000400000-0x0000000000507200-memory.dmp
memory/2952-446-0x0000000001E70000-0x0000000001F78000-memory.dmp
memory/2952-688-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | 4362e21af8686f5ebba224768d292a5b |
| SHA1 | 504510a4d10e230dcd1605ab3342525b38a10933 |
| SHA256 | b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3 |
| SHA512 | f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850 |