Malware Analysis Report

2024-11-13 16:18

Sample ID 240826-xxrt6s1aqc
Target c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118
SHA256 99b1b22055fc3b65d41897f793b391692268773a7a316cb7afa88c7493c7bcbc
Tags
agenttesla agilenet collection credential_access discovery keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99b1b22055fc3b65d41897f793b391692268773a7a316cb7afa88c7493c7bcbc

Threat Level: Known bad

The file c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

agenttesla agilenet collection credential_access discovery keylogger persistence spyware stealer trojan

AgentTesla

Agenttesla family

Credentials from Password Stores: Credentials from Web Browsers

AgentTesla payload

Reads user/profile data of local email clients

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Reads WinSCP keys stored on the system

Checks computer location settings

Adds Run key to start application

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-26 19:14

Signatures

Agenttesla family

agenttesla

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-26 19:14

Reported

2024-08-26 19:16

Platform

win7-20240704-en

Max time kernel

131s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\ndsg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\ndsg.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\nsmu = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\ndsg.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\57QwA12 = "C:\\Users\\Admin\\AppData\\Roaming\\57QwA12\\57QwA12.exe" C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1228 set thread context of 1296 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\ndsg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\ndsg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2976 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe C:\Users\Admin\ndsg.exe
PID 2976 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe C:\Users\Admin\ndsg.exe
PID 2976 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe C:\Users\Admin\ndsg.exe
PID 2976 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe C:\Users\Admin\ndsg.exe
PID 1228 wrote to memory of 1296 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1228 wrote to memory of 1296 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1228 wrote to memory of 1296 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1228 wrote to memory of 1296 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1228 wrote to memory of 1296 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1228 wrote to memory of 1296 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1228 wrote to memory of 1296 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1228 wrote to memory of 1296 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1228 wrote to memory of 1296 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v nsmu /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\ndsg.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v nsmu /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\ndsg.exe"

C:\Users\Admin\ndsg.exe

"C:\Users\Admin\ndsg.exe"

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"

Network

N/A

Files

memory/2976-0-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

memory/2976-1-0x0000000000CA0000-0x0000000000D7E000-memory.dmp

memory/2976-2-0x0000000000310000-0x0000000000320000-memory.dmp

memory/2976-3-0x0000000073F90000-0x000000007467E000-memory.dmp

memory/2976-4-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

memory/2976-5-0x0000000073F90000-0x000000007467E000-memory.dmp

memory/2976-7-0x0000000073F90000-0x000000007467E000-memory.dmp

memory/2976-8-0x0000000073F90000-0x000000007467E000-memory.dmp

\Users\Admin\ndsg.exe

MD5 c3a6abd0693f51c606a76e17f84d29a0
SHA1 86a54e72adf557aa38eb80bbece222f48cfaa99e
SHA256 99b1b22055fc3b65d41897f793b391692268773a7a316cb7afa88c7493c7bcbc
SHA512 27a0e3ee1fd222d66a62fcca12e04e8d603be79fe80fb05a9feb9832645af767dd9f06847854593b052d6241d6c13f423aa8b6ec779cb34e166a0d4cd485617a

memory/1228-16-0x0000000001370000-0x000000000144E000-memory.dmp

memory/2976-18-0x0000000073F90000-0x000000007467E000-memory.dmp

memory/1228-17-0x0000000073F90000-0x000000007467E000-memory.dmp

memory/1228-19-0x0000000073F90000-0x000000007467E000-memory.dmp

memory/1228-20-0x0000000000550000-0x000000000055A000-memory.dmp

\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5 6a673bfc3b67ae9782cb31af2f234c68
SHA1 7544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256 978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA512 72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

memory/1296-29-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1296-27-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1296-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1296-25-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1296-23-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1296-32-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1296-34-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1228-36-0x0000000073F90000-0x000000007467E000-memory.dmp

memory/1296-35-0x0000000000400000-0x0000000000466000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-26 19:14

Reported

2024-08-26 19:16

Platform

win10v2004-20240802-en

Max time kernel

134s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\ndsg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nsmu = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\ndsg.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\57QwA12 = "C:\\Users\\Admin\\AppData\\Roaming\\57QwA12\\57QwA12.exe" C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2556 set thread context of 4460 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\ndsg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\ndsg.exe N/A
N/A N/A C:\Users\Admin\ndsg.exe N/A
N/A N/A C:\Users\Admin\ndsg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\ndsg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4512 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4512 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1420 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe C:\Users\Admin\ndsg.exe
PID 1420 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe C:\Users\Admin\ndsg.exe
PID 1420 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe C:\Users\Admin\ndsg.exe
PID 2556 wrote to memory of 4460 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2556 wrote to memory of 4460 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2556 wrote to memory of 4460 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2556 wrote to memory of 4460 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2556 wrote to memory of 4460 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2556 wrote to memory of 4460 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2556 wrote to memory of 4460 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2556 wrote to memory of 4460 N/A C:\Users\Admin\ndsg.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v nsmu /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\ndsg.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v nsmu /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\ndsg.exe"

C:\Users\Admin\ndsg.exe

"C:\Users\Admin\ndsg.exe"

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1420-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

memory/1420-1-0x00000000008A0000-0x000000000097E000-memory.dmp

memory/1420-2-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1420-3-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

memory/1420-4-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

memory/1420-5-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1420-6-0x0000000005FA0000-0x0000000006544000-memory.dmp

memory/1420-7-0x0000000005AD0000-0x0000000005B62000-memory.dmp

memory/1420-8-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1420-10-0x0000000074ED0000-0x0000000075680000-memory.dmp

C:\Users\Admin\ndsg.exe

MD5 c3a6abd0693f51c606a76e17f84d29a0
SHA1 86a54e72adf557aa38eb80bbece222f48cfaa99e
SHA256 99b1b22055fc3b65d41897f793b391692268773a7a316cb7afa88c7493c7bcbc
SHA512 27a0e3ee1fd222d66a62fcca12e04e8d603be79fe80fb05a9feb9832645af767dd9f06847854593b052d6241d6c13f423aa8b6ec779cb34e166a0d4cd485617a

memory/1420-42-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/2556-41-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/2556-43-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/2556-44-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/2556-45-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/2556-46-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/2556-47-0x0000000005D60000-0x0000000005D6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5 9827ff3cdf4b83f9c86354606736ca9c
SHA1 e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256 c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA512 8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

memory/4460-49-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2556-53-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/4460-54-0x0000000005A00000-0x0000000005A9C000-memory.dmp

memory/4460-55-0x0000000005F60000-0x0000000005F78000-memory.dmp

memory/4460-56-0x00000000065D0000-0x0000000006636000-memory.dmp

memory/4460-58-0x0000000006AD0000-0x0000000006B20000-memory.dmp

memory/4460-59-0x0000000006EA0000-0x0000000006EAA000-memory.dmp