Malware Analysis Report

2025-01-18 12:26

Sample ID 240830-lfnweaybnk
Target ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118
SHA256 a329186a1a23e168fb7dbfc731a4c5bdc66c21e679bb904e5090f21f2db6d015
Tags
formbook du credential_access discovery persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a329186a1a23e168fb7dbfc731a4c5bdc66c21e679bb904e5090f21f2db6d015

Threat Level: Known bad

The file ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

formbook du credential_access discovery persistence rat spyware stealer trojan

Formbook

Formbook payload

Credentials from Password Stores: Credentials from Web Browsers

Adds policy Run key to start application

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-30 09:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-30 09:28

Reported

2024-08-30 09:31

Platform

win7-20240729-en

Max time kernel

146s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\LTXTXDZ00XV = "C:\\Program Files (x86)\\Qyx28chtp\\IconCacheulodufw8.exe" C:\Windows\SysWOW64\rundll32.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.lnk C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2688 set thread context of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 1652 set thread context of 1372 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\Explorer.EXE
PID 1652 set thread context of 1372 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\Explorer.EXE
PID 288 set thread context of 1372 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Qyx28chtp\IconCacheulodufw8.exe C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-2257386474-3982792636-3902186748-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2184 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2184 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2184 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2184 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2184 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2184 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2688 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2688 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2688 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2688 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2688 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2688 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2688 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2688 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2688 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2688 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2688 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 288 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1372 wrote to memory of 288 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1372 wrote to memory of 288 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1372 wrote to memory of 288 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1372 wrote to memory of 288 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1372 wrote to memory of 288 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1372 wrote to memory of 288 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 288 wrote to memory of 3044 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 288 wrote to memory of 3044 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 288 wrote to memory of 3044 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 288 wrote to memory of 3044 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c copy "C:\Users\Admin\AppData\Local\Temp\RarSFX0\*.*" "C:\Users\Admin\AppData\Roaming\fan" & exit

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.franck-medale.com udp
FR 217.70.184.38:80 www.franck-medale.com tcp
FR 217.70.184.38:80 www.franck-medale.com tcp
US 8.8.8.8:53 www.bjfyzl.com udp
HK 154.218.175.46:80 www.bjfyzl.com tcp

Files

\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 7573bf8132ac06b36d6687bbd37cd8fa
SHA1 a26f0a134671e69e71bff2a0f7808452473d27ea
SHA256 7de138af3c37163beb8be29bd44695e0be5cba34306c94906084a0e9eb24ea7b
SHA512 63ee9d40afe01761a8b08076d2e1a78961e1040e2158f65b2fde81a7411f63e26066337c84f3e7ab8d096052bf757c2226737668ef451e35212138f33be6aa05

memory/2688-20-0x00000000741B1000-0x00000000741B2000-memory.dmp

memory/2688-21-0x00000000741B0000-0x000000007475B000-memory.dmp

memory/2688-22-0x00000000741B0000-0x000000007475B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nwhrrxoeoaonmsiyy.png

MD5 3891dd0974efc07cbcdc25bca0d08252
SHA1 5bb32d8dd341c6fdbb856352570ffcb60ca5a65e
SHA256 4cfd900e14e56b8b5570e9b370733d2c37da8edc8058ddf35dcb5044ae1d9e70
SHA512 cdf55d9ebb16418df4c523dded7fb6edd618f8875f9b1e472d9ab0c9b10df3025a7d10c7d82af7081f9d8f1b0f11a6a1cd64c4ab3958bd5d8939e378a3b6f913

memory/2688-24-0x00000000741B0000-0x000000007475B000-memory.dmp

memory/2688-25-0x00000000741B0000-0x000000007475B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Uvenagxehdo.xml

MD5 4321bdacfc299dede7b38875345d0e47
SHA1 dd6bd849d1eb16a98f0b6076f9bf03001b436e7b
SHA256 00ac6970e7b56bed0b937613dff2213f980d311c4bbd7a1d8fda271de8727d30
SHA512 189bb38c5ee0b213834fc31cf30d179d6fd1521966a4b14df31ab2d479e773f6cb7f17c3406472290eac46db38674efba7225cf234a207be45c3ec88e7614dbd

memory/1652-28-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1652-32-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1652-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1652-29-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.lnk

MD5 4d119176f4728a1b3228dac26134c486
SHA1 1652a93a1998ac806b69347b9368abc6123a6ebc
SHA256 4369c2c21b3a02ce29a0a889c4e94a4f6a9a7466a961a54c26dba65a8e5d4a28
SHA512 2d83623a7d765245bf38dabdc15186dc163ac67af8a702146b1415291ca49f98925e741ce92c0f450b749a0575da8daed81c809dc4c7b52b63d395931169ba59

memory/1652-45-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1372-46-0x0000000006FB0000-0x00000000070DF000-memory.dmp

memory/1652-47-0x0000000000400000-0x000000000042A000-memory.dmp

memory/288-48-0x00000000009E0000-0x00000000009EE000-memory.dmp

memory/288-50-0x00000000009E0000-0x00000000009EE000-memory.dmp

memory/1372-55-0x0000000007F00000-0x0000000008037000-memory.dmp

C:\Users\Admin\AppData\Roaming\87M688PE\87Mlogri.ini

MD5 d63a82e5d81e02e399090af26db0b9cb
SHA1 91d0014c8f54743bba141fd60c9d963f869d76c9
SHA256 eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA512 38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

C:\Users\Admin\AppData\Roaming\87M688PE\87Mlogim.jpeg

MD5 8d7e4b7c76a05a81e223a5a329bc486e
SHA1 707d9308e8082f8733a8cbd011af35435d8306d4
SHA256 49e65123fb08fd2e6e1671382954e87c19b48ea2fc8fb9b54fa3908da8a9d327
SHA512 dc5dabea041bf2f3cf0421c410f56028d5bfad54778fd1cee25c4049ea975701de7f45cff4a2a1c711d8f73e7d84aa6f7389ca5de2025b3f3c505712b6a1eab5

C:\Users\Admin\AppData\Roaming\87M688PE\87Mlogrv.ini

MD5 ba3b6bc807d4f76794c4b81b09bb9ba5
SHA1 24cb89501f0212ff3095ecc0aba97dd563718fb1
SHA256 6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512 ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-30 09:28

Reported

2024-08-30 09:31

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.lnk C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 664 set thread context of 4864 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 4616 set thread context of 3368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 1368 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 1368 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 664 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 664 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 664 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 664 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 664 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 664 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 664 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 664 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 664 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c copy "C:\Users\Admin\AppData\Local\Temp\RarSFX0\*.*" "C:\Users\Admin\AppData\Roaming\fan" & exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.azadkashmir.net udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 www.urbanenergyservices.com udp
US 8.8.8.8:53 www.bjfyzl.com udp
HK 154.218.175.46:80 www.bjfyzl.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 7573bf8132ac06b36d6687bbd37cd8fa
SHA1 a26f0a134671e69e71bff2a0f7808452473d27ea
SHA256 7de138af3c37163beb8be29bd44695e0be5cba34306c94906084a0e9eb24ea7b
SHA512 63ee9d40afe01761a8b08076d2e1a78961e1040e2158f65b2fde81a7411f63e26066337c84f3e7ab8d096052bf757c2226737668ef451e35212138f33be6aa05

memory/664-16-0x0000000072792000-0x0000000072793000-memory.dmp

memory/664-17-0x0000000072790000-0x0000000072D41000-memory.dmp

memory/664-18-0x0000000072790000-0x0000000072D41000-memory.dmp

memory/664-20-0x0000000072790000-0x0000000072D41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nwhrrxoeoaonmsiyy.png

MD5 3891dd0974efc07cbcdc25bca0d08252
SHA1 5bb32d8dd341c6fdbb856352570ffcb60ca5a65e
SHA256 4cfd900e14e56b8b5570e9b370733d2c37da8edc8058ddf35dcb5044ae1d9e70
SHA512 cdf55d9ebb16418df4c523dded7fb6edd618f8875f9b1e472d9ab0c9b10df3025a7d10c7d82af7081f9d8f1b0f11a6a1cd64c4ab3958bd5d8939e378a3b6f913

memory/664-21-0x0000000072792000-0x0000000072793000-memory.dmp

memory/664-22-0x0000000072790000-0x0000000072D41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Uvenagxehdo.xml

MD5 4321bdacfc299dede7b38875345d0e47
SHA1 dd6bd849d1eb16a98f0b6076f9bf03001b436e7b
SHA256 00ac6970e7b56bed0b937613dff2213f980d311c4bbd7a1d8fda271de8727d30
SHA512 189bb38c5ee0b213834fc31cf30d179d6fd1521966a4b14df31ab2d479e773f6cb7f17c3406472290eac46db38674efba7225cf234a207be45c3ec88e7614dbd

memory/4864-24-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4864-34-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4616-33-0x0000000000D40000-0x0000000000D9A000-memory.dmp

memory/4616-35-0x0000000000D40000-0x0000000000D9A000-memory.dmp

memory/3368-39-0x0000000008B70000-0x0000000008C42000-memory.dmp