Analysis Overview
SHA256
517dc10df7fda0b7334a76c8e34d638562f32f724e45f8f8e91f7729c6c41f2a
Threat Level: Likely benign
The file c07392e48322e4efde24d759d27262f5_JaffaCakes118 was found to be: Likely benign.
Malicious Activity Summary
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
NSIS installer
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 09:35
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-25 09:35
Reported
2024-08-25 09:37
Platform
win7-20240708-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2536 wrote to memory of 352 | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2536 wrote to memory of 352 | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2536 wrote to memory of 352 | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2536 wrote to memory of 352 | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\21418.bat" "C:\Users\Admin\AppData\Local\Temp\E2DA58CC4D534A7E8CDFA5BBC2B03CEF\""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c6m7w2m9.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | fallback.playtech-installer.com | udp |
| US | 8.8.8.8:53 | log.web-installer-assets.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\E2DA58CC4D534A7E8CDFA5BBC2B03CEF\E2DA58CC4D534A7E8CDFA5BBC2B03CEF_LogFile.txt
| MD5 | 7eca8d501b76136dc225b7abefeee71d |
| SHA1 | 2275684e9fd3cbb616c15475a8b36c594e80e7c7 |
| SHA256 | 7d5ba1a7e013f87e163ded99841cac8675938a4a0773e3367dfc51b8fdbdda32 |
| SHA512 | 737f58572eca89cb27532c276b1df8429feaa9c48a185bbecfa79e29c1f20ac1d037b87f51744cabd6e794db937bfe4de53afdfaa02d4950f458251048a84d01 |
memory/2536-63-0x00000000003B0000-0x00000000003B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\21418.bat
| MD5 | 739fcc7ba42b209fe44bea47e7a8c48f |
| SHA1 | bc7a448a7c018133edcf012bc94301623eb42c5b |
| SHA256 | 69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c |
| SHA512 | 2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a |
C:\Users\Admin\AppData\Local\Temp\E2DA58CC4D534A7E8CDFA5BBC2B03CEF\E2DA58~1.TXT
| MD5 | e601af37807d546eee4dd3119284cbdc |
| SHA1 | 9a20ff25c4c9da753d86ebb8d4f30c0e427d003a |
| SHA256 | fa88d98f040461e359972962a8d4d149ca6c8a4c0044df3a6446b3d57f4e2813 |
| SHA512 | 4634839e7582ca3c8e89dc01d95318b491a8d746779e33ae361014e2cf40c6c6549ccd8bef9ccca8ecb786eb0f906de3d27fd2bbd637467adb3997bee70b9deb |
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-25 09:35
Reported
2024-08-25 09:37
Platform
win10v2004-20240802-en
Max time kernel
134s
Max time network
129s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3648 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3648 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3648 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4440,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\11104.bat" "C:\Users\Admin\AppData\Local\Temp\6B72DFDC7AFF47FB929B76C6203EE359\""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | c6m7w2m9.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | fallback.playtech-installer.com | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | log.web-installer-assets.com | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\6B72DFDC7AFF47FB929B76C6203EE359\6B72DFDC7AFF47FB929B76C6203EE359_LogFile.txt
| MD5 | a987b94b705ae3c010b72e13cf33ef92 |
| SHA1 | d0d833b418a3d4f7c31e2bf82390532b4c867e13 |
| SHA256 | b69f22a3758b3e7d07a9a9f4509e1446242247225fc0ca8c6d646920bced0c6a |
| SHA512 | cd71eece0f6abf00fd5801d1dd162ef757cb2fbf3aee1f1a57e3f3910cc59774c4eb9a526a4e22d6b82b282f6522529e7e50ae6966f3bd81e722fa51b6bf66f6 |
C:\Users\Admin\AppData\Local\Temp\11104.bat
| MD5 | 739fcc7ba42b209fe44bea47e7a8c48f |
| SHA1 | bc7a448a7c018133edcf012bc94301623eb42c5b |
| SHA256 | 69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c |
| SHA512 | 2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a |
C:\Users\Admin\AppData\Local\Temp\6B72DFDC7AFF47FB929B76C6203EE359\6B72DF~1.TXT
| MD5 | edd0c0c692a4b46006e1fb1c167d571a |
| SHA1 | 29f6c045b1299c775e9385394f1689073393265d |
| SHA256 | 8c6a6915fe9766b07cfe223a5c0555ed51b6932b3cf3f63aedc9218158d56e0d |
| SHA512 | 4f5a4d057c7e6560297a81dccbabcab8cf34627bfbc1963f613796ab0695ff9836af6b1f22dfc06eb125edf8db11efa4d0e08fa54943fcba462837bdc543f481 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 09:35
Reported
2024-08-25 09:37
Platform
win7-20240708-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nstE82F.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nstE82F.tmp/fallbackfiles/'
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\789.bat" "C:\Users\Admin\AppData\Local\Temp\BA0A7D4BE58E4A75874495FE746463EC\""
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 1 -w 1000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c6m7w2m9.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | fallback.playtech-installer.com | udp |
| US | 8.8.8.8:53 | log.web-installer-assets.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
| MD5 | 77bfacca17ee1d89833b57f3a746d9a0 |
| SHA1 | aa9490c913489c5eafd02f67f875efcb56d23036 |
| SHA256 | 38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52 |
| SHA512 | 21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f |
C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118_splash.png
| MD5 | 0a8589de904eec91522c276d896216c4 |
| SHA1 | 58ba5e9158c3afa3c3112fe1e24567996794c07e |
| SHA256 | 496d42e72d7c57969f584849a8f7366783afd39862f7f71b59d78b723225cd55 |
| SHA512 | bea912ebc889e6444532beacbe562038b78c918dff9bfa16d7d9a15e25f52ce90e93a6736636926ef7d45e65eb8f73da92149e3188cf5a4b78a8d248b3b0d9fd |
C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118_icon.ico
| MD5 | 592abe695d3fb84c8a7589b0d2553a97 |
| SHA1 | d70d6de6fa25ca1924bd02b84075ee94f3870133 |
| SHA256 | ed59d25e5daf4e4c89c09a4c829ac4d12f1b0e258d167760a07bce6266cebda0 |
| SHA512 | a8c09f8f35790a0bcf4b69ffa7f26eb60b8e14394ecef6a63c1776e538eb749251545dda48f6a7243c91d9779d24b4d774b39dbd966d32e5fa39071fff9a0978 |
C:\Users\Admin\AppData\Local\Temp\BA0A7D4BE58E4A75874495FE746463EC\BA0A7D4BE58E4A75874495FE746463EC_LogFile.txt
| MD5 | 2afa019ce5d278359bb1e6219932c2c3 |
| SHA1 | eef70003ddfce7fbf488d5ffa214bbb2c8584a7e |
| SHA256 | 3e6de7606e8b581b5672d3ff70594950aa76c4fe87d953093c9f4c806918d6f8 |
| SHA512 | 89647f17b9341e3a43239f5f28d9382e1f00534e709854c3b9fb0c04f3e160c2fce49b34ec58aa9d0e262baae99c1669d61da61e53d044bf58010d5743a17165 |
C:\Users\Admin\AppData\Local\Temp\BA0A7D4BE58E4A75874495FE746463EC\BA0A7D4BE58E4A75874495FE746463EC_LogFile.txt
| MD5 | c63d7b1e0809942e9ddcd4fa117a6dc1 |
| SHA1 | 031c37fe44803015210b3437a4a88e15eba1a009 |
| SHA256 | 2942e34dfe53a45c358a0a2c793bab1446ee9997f638c70b67b78f671847c396 |
| SHA512 | 2922532c93adf94959e886234f535434700f42ad5bd8857337b07886915c17e24aa5e9f2fb77f2562ff44c38b9c475d0b32816a8655163f5f2c8eba90b7b72ad |
memory/2132-73-0x00000000001E0000-0x00000000001E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\789.bat
| MD5 | 739fcc7ba42b209fe44bea47e7a8c48f |
| SHA1 | bc7a448a7c018133edcf012bc94301623eb42c5b |
| SHA256 | 69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c |
| SHA512 | 2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a |
memory/2116-276-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BA0A7D4BE58E4A75874495FE746463EC\BA0A7D~1.TXT
| MD5 | ebd9b0557293057bc6a1cd80ca1bcbf0 |
| SHA1 | 113cbf031f612faaa4096dbba46f4d2af959d73c |
| SHA256 | 5df1a0cd7ff8b44f33ca817422bd85d17000c33d4eb972fe05502160dac4f5d0 |
| SHA512 | a51acff2c1003f6f64ca612c8ad340a9c827a752a3bf256c014fc4d1e74a11838ee9749e12dff3d2e9188e1b99531ead24d7f93d98ed571f8064b0fbe594609c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 09:35
Reported
2024-08-25 09:37
Platform
win10v2004-20240802-en
Max time kernel
84s
Max time network
138s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nscBE22.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nscBE22.tmp/fallbackfiles/'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\789.bat" "C:\Users\Admin\AppData\Local\Temp\A8A835AC0247414D92C96EC2E92CE1E0\""
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 1 -w 1000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c6m7w2m9.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | fallback.playtech-installer.com | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | log.web-installer-assets.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
| MD5 | 77bfacca17ee1d89833b57f3a746d9a0 |
| SHA1 | aa9490c913489c5eafd02f67f875efcb56d23036 |
| SHA256 | 38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52 |
| SHA512 | 21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f |
C:\Users\Admin\AppData\Local\Temp\A8A835AC0247414D92C96EC2E92CE1E0\A8A835AC0247414D92C96EC2E92CE1E0_LogFile.txt
| MD5 | 833860e26b3f534723d959ea629b6bc8 |
| SHA1 | 694111dc04e95081722cfe2e997db698051793e5 |
| SHA256 | 4a5b2f001c920a5e04e242860391df15f6e78fd4d0b3d2a5f419a4d1636805c4 |
| SHA512 | 6aa92e450d4517ceb3b03a2c321cd300d713109a8e9587348e5059363691058cb05c793b8dc2be7187329dee4c1d3a50ca61f0a8a61746896d70540092bcf50f |
C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118_icon.ico
| MD5 | 592abe695d3fb84c8a7589b0d2553a97 |
| SHA1 | d70d6de6fa25ca1924bd02b84075ee94f3870133 |
| SHA256 | ed59d25e5daf4e4c89c09a4c829ac4d12f1b0e258d167760a07bce6266cebda0 |
| SHA512 | a8c09f8f35790a0bcf4b69ffa7f26eb60b8e14394ecef6a63c1776e538eb749251545dda48f6a7243c91d9779d24b4d774b39dbd966d32e5fa39071fff9a0978 |
C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118_splash.png
| MD5 | 0a8589de904eec91522c276d896216c4 |
| SHA1 | 58ba5e9158c3afa3c3112fe1e24567996794c07e |
| SHA256 | 496d42e72d7c57969f584849a8f7366783afd39862f7f71b59d78b723225cd55 |
| SHA512 | bea912ebc889e6444532beacbe562038b78c918dff9bfa16d7d9a15e25f52ce90e93a6736636926ef7d45e65eb8f73da92149e3188cf5a4b78a8d248b3b0d9fd |
memory/4496-268-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\789.bat
| MD5 | 739fcc7ba42b209fe44bea47e7a8c48f |
| SHA1 | bc7a448a7c018133edcf012bc94301623eb42c5b |
| SHA256 | 69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c |
| SHA512 | 2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a |
C:\Users\Admin\AppData\Local\Temp\A8A835AC0247414D92C96EC2E92CE1E0\A8A835~1.TXT
| MD5 | 0bad3d097a9fad0fc4281cf3ae1e1f3d |
| SHA1 | 1c0cd92bd5ca94fdd96b9bb8796bc5c663b49686 |
| SHA256 | 0720ac35aad0076731a380aac1ed36552f74727368398dc50a5cc8021354841d |
| SHA512 | 0da321014b0805335f82e8c351ce4a132066ac641091245f9a5a60b899bff538bd0aab0a0f7820c51838c3b97a21346f256a0560c0d56c4df2396853a3ddb4e7 |