Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 00:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d32259306086f5dd8682be41476b204f_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
d32259306086f5dd8682be41476b204f_JaffaCakes118.exe
-
Size
200KB
-
MD5
d32259306086f5dd8682be41476b204f
-
SHA1
378611488a197a49a81d0399d0b4c8d93e2f95bb
-
SHA256
3842473498ce97711d865f558ae8b6a9de381dbec6fd265f5f20ef14a7da200a
-
SHA512
49ecab8e23051c85b1206525022b5e5d5fd2ff8fec2ee954d7e5a5cca7b08c269ce9710a1faa1ab995ce897383ddead98d868aa083f734c612776d00869c5a15
-
SSDEEP
1536:PvQBeOGtrYSSsrc93UBIfdC67m6AJiqyvU2r1vsKM4ltyjw:PhOm2sI93UufdC67cihvH1S/k
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1956-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3488-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2780-17-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4828-23-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4852-29-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1180-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5024-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3312-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2164-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3704-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4464-70-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1440-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2228-76-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3476-80-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/464-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3748-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2224-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4860-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1140-127-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/868-138-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3448-150-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2720-159-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2024-165-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2276-177-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2328-184-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1560-188-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3068-192-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2592-197-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/752-210-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3676-226-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3924-230-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2680-234-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1848-256-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1828-260-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3556-273-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4560-276-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4596-280-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1028-290-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4860-297-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2276-343-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3536-347-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/548-354-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4160-374-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4396-381-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2364-406-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1532-410-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2228-417-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/432-421-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4984-425-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1768-444-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4400-448-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5076-452-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/220-578-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4700-589-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4580-599-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4892-615-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1948-643-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4412-650-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2396-657-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3976-667-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3556-764-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/228-765-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2904-1628-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3488 jvvjj.exe 2780 fxxxrxx.exe 4828 bnnnnn.exe 4852 jjjdp.exe 1180 bbttbh.exe 5024 1ddpp.exe 3312 xrrxxff.exe 2164 ttbttt.exe 3704 hhbtnn.exe 1440 djpjd.exe 4464 xflfffx.exe 2228 9llrxxx.exe 3476 vdvpv.exe 464 fxrxlxx.exe 3748 bhhtbb.exe 4232 xlfrrfr.exe 2224 ttnbnn.exe 4568 pvjpv.exe 4860 xflfxrl.exe 400 tnntnt.exe 1140 dddvj.exe 1068 vjvpj.exe 868 rllfrrr.exe 4960 httttt.exe 3448 vdjdv.exe 2480 rxrlrxf.exe 2720 hnthnn.exe 2024 jvvpp.exe 2280 jdvvp.exe 2276 rxrfxlf.exe 2328 5ntnhh.exe 1560 lffxrxr.exe 3068 3tnbth.exe 2592 vjdjj.exe 1572 xflrxrr.exe 2320 ttnnbn.exe 4368 bhbhhn.exe 752 5ppvj.exe 3520 flflxxl.exe 428 xxlrxrx.exe 4004 nntttt.exe 4828 nhttbb.exe 3676 vdjpp.exe 3924 lfrffrr.exe 2680 bbnntb.exe 4924 nhthhb.exe 3344 jvpjd.exe 1920 xrxxrlf.exe 2400 bbbbtt.exe 3704 5vpdv.exe 1960 pvjpv.exe 1848 frfxrfx.exe 1828 nbthth.exe 1988 bnbtbh.exe 4188 jdpjd.exe 2084 nthbhh.exe 3556 jpvjd.exe 4560 rrrfxxl.exe 4596 hnhbnh.exe 1168 pdjjj.exe 1752 lllfrll.exe 1028 bhnntt.exe 1760 djpjd.exe 4860 xfflflx.exe -
resource yara_rule behavioral2/memory/1956-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3488-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4828-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2780-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4828-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4852-29-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1180-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5024-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3312-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2164-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3704-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4464-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1440-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2228-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3476-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/464-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3748-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2224-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4860-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1140-127-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/868-133-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/868-138-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3448-150-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2720-159-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2024-165-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2276-177-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2328-184-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1560-188-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3068-192-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2592-197-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/752-210-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3676-226-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3924-230-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2680-234-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1848-256-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1828-260-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3556-273-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4560-276-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4596-280-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1028-290-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4860-297-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2276-343-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3536-347-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/548-354-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4360-364-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4160-374-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4396-381-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2364-406-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1532-410-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2228-417-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/432-421-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4984-425-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1768-444-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4400-448-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5076-452-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3924-538-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/220-578-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2400-588-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4700-589-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4580-599-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4892-615-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1948-643-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4412-650-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2396-657-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9flrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1956 wrote to memory of 3488 1956 d32259306086f5dd8682be41476b204f_JaffaCakes118.exe 83 PID 1956 wrote to memory of 3488 1956 d32259306086f5dd8682be41476b204f_JaffaCakes118.exe 83 PID 1956 wrote to memory of 3488 1956 d32259306086f5dd8682be41476b204f_JaffaCakes118.exe 83 PID 3488 wrote to memory of 2780 3488 jvvjj.exe 84 PID 3488 wrote to memory of 2780 3488 jvvjj.exe 84 PID 3488 wrote to memory of 2780 3488 jvvjj.exe 84 PID 2780 wrote to memory of 4828 2780 fxxxrxx.exe 85 PID 2780 wrote to memory of 4828 2780 fxxxrxx.exe 85 PID 2780 wrote to memory of 4828 2780 fxxxrxx.exe 85 PID 4828 wrote to memory of 4852 4828 bnnnnn.exe 86 PID 4828 wrote to memory of 4852 4828 bnnnnn.exe 86 PID 4828 wrote to memory of 4852 4828 bnnnnn.exe 86 PID 4852 wrote to memory of 1180 4852 jjjdp.exe 87 PID 4852 wrote to memory of 1180 4852 jjjdp.exe 87 PID 4852 wrote to memory of 1180 4852 jjjdp.exe 87 PID 1180 wrote to memory of 5024 1180 bbttbh.exe 88 PID 1180 wrote to memory of 5024 1180 bbttbh.exe 88 PID 1180 wrote to memory of 5024 1180 bbttbh.exe 88 PID 5024 wrote to memory of 3312 5024 1ddpp.exe 89 PID 5024 wrote to memory of 3312 5024 1ddpp.exe 89 PID 5024 wrote to memory of 3312 5024 1ddpp.exe 89 PID 3312 wrote to memory of 2164 3312 xrrxxff.exe 90 PID 3312 wrote to memory of 2164 3312 xrrxxff.exe 90 PID 3312 wrote to memory of 2164 3312 xrrxxff.exe 90 PID 2164 wrote to memory of 3704 2164 ttbttt.exe 91 PID 2164 wrote to memory of 3704 2164 ttbttt.exe 91 PID 2164 wrote to memory of 3704 2164 ttbttt.exe 91 PID 3704 wrote to memory of 1440 3704 hhbtnn.exe 93 PID 3704 wrote to memory of 1440 3704 hhbtnn.exe 93 PID 3704 wrote to memory of 1440 3704 hhbtnn.exe 93 PID 1440 wrote to memory of 4464 1440 djpjd.exe 94 PID 1440 wrote to memory of 4464 1440 djpjd.exe 94 PID 1440 wrote to memory of 4464 1440 djpjd.exe 94 PID 4464 wrote to memory of 2228 4464 xflfffx.exe 95 PID 4464 wrote to memory of 2228 4464 xflfffx.exe 95 PID 4464 wrote to memory of 2228 4464 xflfffx.exe 95 PID 2228 wrote to memory of 3476 2228 9llrxxx.exe 96 PID 2228 wrote to memory of 3476 2228 9llrxxx.exe 96 PID 2228 wrote to memory of 3476 2228 9llrxxx.exe 96 PID 3476 wrote to memory of 464 3476 vdvpv.exe 98 PID 3476 wrote to memory of 464 3476 vdvpv.exe 98 PID 3476 wrote to memory of 464 3476 vdvpv.exe 98 PID 464 wrote to memory of 3748 464 fxrxlxx.exe 99 PID 464 wrote to memory of 3748 464 fxrxlxx.exe 99 PID 464 wrote to memory of 3748 464 fxrxlxx.exe 99 PID 3748 wrote to memory of 4232 3748 bhhtbb.exe 100 PID 3748 wrote to memory of 4232 3748 bhhtbb.exe 100 PID 3748 wrote to memory of 4232 3748 bhhtbb.exe 100 PID 4232 wrote to memory of 2224 4232 xlfrrfr.exe 101 PID 4232 wrote to memory of 2224 4232 xlfrrfr.exe 101 PID 4232 wrote to memory of 2224 4232 xlfrrfr.exe 101 PID 2224 wrote to memory of 4568 2224 ttnbnn.exe 102 PID 2224 wrote to memory of 4568 2224 ttnbnn.exe 102 PID 2224 wrote to memory of 4568 2224 ttnbnn.exe 102 PID 4568 wrote to memory of 4860 4568 pvjpv.exe 104 PID 4568 wrote to memory of 4860 4568 pvjpv.exe 104 PID 4568 wrote to memory of 4860 4568 pvjpv.exe 104 PID 4860 wrote to memory of 400 4860 xflfxrl.exe 105 PID 4860 wrote to memory of 400 4860 xflfxrl.exe 105 PID 4860 wrote to memory of 400 4860 xflfxrl.exe 105 PID 400 wrote to memory of 1140 400 tnntnt.exe 106 PID 400 wrote to memory of 1140 400 tnntnt.exe 106 PID 400 wrote to memory of 1140 400 tnntnt.exe 106 PID 1140 wrote to memory of 1068 1140 dddvj.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\d32259306086f5dd8682be41476b204f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d32259306086f5dd8682be41476b204f_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\jvvjj.exec:\jvvjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\fxxxrxx.exec:\fxxxrxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\bnnnnn.exec:\bnnnnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\jjjdp.exec:\jjjdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\bbttbh.exec:\bbttbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\1ddpp.exec:\1ddpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\xrrxxff.exec:\xrrxxff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\ttbttt.exec:\ttbttt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\hhbtnn.exec:\hhbtnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\djpjd.exec:\djpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\xflfffx.exec:\xflfffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\9llrxxx.exec:\9llrxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\vdvpv.exec:\vdvpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\fxrxlxx.exec:\fxrxlxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\bhhtbb.exec:\bhhtbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\xlfrrfr.exec:\xlfrrfr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\ttnbnn.exec:\ttnbnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\pvjpv.exec:\pvjpv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\xflfxrl.exec:\xflfxrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\tnntnt.exec:\tnntnt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\dddvj.exec:\dddvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\vjvpj.exec:\vjvpj.exe23⤵
- Executes dropped EXE
PID:1068 -
\??\c:\rllfrrr.exec:\rllfrrr.exe24⤵
- Executes dropped EXE
PID:868 -
\??\c:\httttt.exec:\httttt.exe25⤵
- Executes dropped EXE
PID:4960 -
\??\c:\vdjdv.exec:\vdjdv.exe26⤵
- Executes dropped EXE
PID:3448 -
\??\c:\rxrlrxf.exec:\rxrlrxf.exe27⤵
- Executes dropped EXE
PID:2480 -
\??\c:\hnthnn.exec:\hnthnn.exe28⤵
- Executes dropped EXE
PID:2720 -
\??\c:\jvvpp.exec:\jvvpp.exe29⤵
- Executes dropped EXE
PID:2024 -
\??\c:\jdvvp.exec:\jdvvp.exe30⤵
- Executes dropped EXE
PID:2280 -
\??\c:\rxrfxlf.exec:\rxrfxlf.exe31⤵
- Executes dropped EXE
PID:2276 -
\??\c:\5ntnhh.exec:\5ntnhh.exe32⤵
- Executes dropped EXE
PID:2328 -
\??\c:\lffxrxr.exec:\lffxrxr.exe33⤵
- Executes dropped EXE
PID:1560 -
\??\c:\3tnbth.exec:\3tnbth.exe34⤵
- Executes dropped EXE
PID:3068 -
\??\c:\vjdjj.exec:\vjdjj.exe35⤵
- Executes dropped EXE
PID:2592 -
\??\c:\xflrxrr.exec:\xflrxrr.exe36⤵
- Executes dropped EXE
PID:1572 -
\??\c:\ttnnbn.exec:\ttnnbn.exe37⤵
- Executes dropped EXE
PID:2320 -
\??\c:\bhbhhn.exec:\bhbhhn.exe38⤵
- Executes dropped EXE
PID:4368 -
\??\c:\5ppvj.exec:\5ppvj.exe39⤵
- Executes dropped EXE
PID:752 -
\??\c:\flflxxl.exec:\flflxxl.exe40⤵
- Executes dropped EXE
PID:3520 -
\??\c:\xxlrxrx.exec:\xxlrxrx.exe41⤵
- Executes dropped EXE
PID:428 -
\??\c:\nntttt.exec:\nntttt.exe42⤵
- Executes dropped EXE
PID:4004 -
\??\c:\nhttbb.exec:\nhttbb.exe43⤵
- Executes dropped EXE
PID:4828 -
\??\c:\vdjpp.exec:\vdjpp.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3676 -
\??\c:\lfrffrr.exec:\lfrffrr.exe45⤵
- Executes dropped EXE
PID:3924 -
\??\c:\bbnntb.exec:\bbnntb.exe46⤵
- Executes dropped EXE
PID:2680 -
\??\c:\nhthhb.exec:\nhthhb.exe47⤵
- Executes dropped EXE
PID:4924 -
\??\c:\jvpjd.exec:\jvpjd.exe48⤵
- Executes dropped EXE
PID:3344 -
\??\c:\xrxxrlf.exec:\xrxxrlf.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1920 -
\??\c:\bbbbtt.exec:\bbbbtt.exe50⤵
- Executes dropped EXE
PID:2400 -
\??\c:\5vpdv.exec:\5vpdv.exe51⤵
- Executes dropped EXE
PID:3704 -
\??\c:\pvjpv.exec:\pvjpv.exe52⤵
- Executes dropped EXE
PID:1960 -
\??\c:\frfxrfx.exec:\frfxrfx.exe53⤵
- Executes dropped EXE
PID:1848 -
\??\c:\nbthth.exec:\nbthth.exe54⤵
- Executes dropped EXE
PID:1828 -
\??\c:\bnbtbh.exec:\bnbtbh.exe55⤵
- Executes dropped EXE
PID:1988 -
\??\c:\jdpjd.exec:\jdpjd.exe56⤵
- Executes dropped EXE
PID:4188 -
\??\c:\nthbhh.exec:\nthbhh.exe57⤵
- Executes dropped EXE
PID:2084 -
\??\c:\jpvjd.exec:\jpvjd.exe58⤵
- Executes dropped EXE
PID:3556 -
\??\c:\rrrfxxl.exec:\rrrfxxl.exe59⤵
- Executes dropped EXE
PID:4560 -
\??\c:\hnhbnh.exec:\hnhbnh.exe60⤵
- Executes dropped EXE
PID:4596 -
\??\c:\pdjjj.exec:\pdjjj.exe61⤵
- Executes dropped EXE
PID:1168 -
\??\c:\lllfrll.exec:\lllfrll.exe62⤵
- Executes dropped EXE
PID:1752 -
\??\c:\bhnntt.exec:\bhnntt.exe63⤵
- Executes dropped EXE
PID:1028 -
\??\c:\djpjd.exec:\djpjd.exe64⤵
- Executes dropped EXE
PID:1760 -
\??\c:\xfflflx.exec:\xfflflx.exe65⤵
- Executes dropped EXE
PID:4860 -
\??\c:\tthbth.exec:\tthbth.exe66⤵PID:2500
-
\??\c:\dddpv.exec:\dddpv.exe67⤵PID:3960
-
\??\c:\xxflxlr.exec:\xxflxlr.exe68⤵PID:4000
-
\??\c:\frrfxlf.exec:\frrfxlf.exe69⤵PID:1068
-
\??\c:\9hhttt.exec:\9hhttt.exe70⤵PID:3012
-
\??\c:\jjdvp.exec:\jjdvp.exe71⤵PID:2432
-
\??\c:\lflfffx.exec:\lflfffx.exe72⤵PID:4712
-
\??\c:\xrlxlrl.exec:\xrlxlrl.exe73⤵PID:2624
-
\??\c:\nhnbhb.exec:\nhnbhb.exe74⤵PID:1580
-
\??\c:\pjjpd.exec:\pjjpd.exe75⤵PID:1160
-
\??\c:\xrxfxxx.exec:\xrxfxxx.exe76⤵PID:2720
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe77⤵PID:5040
-
\??\c:\ddpdp.exec:\ddpdp.exe78⤵PID:2488
-
\??\c:\jpjjp.exec:\jpjjp.exe79⤵PID:4224
-
\??\c:\9rxrrrl.exec:\9rxrrrl.exe80⤵PID:2276
-
\??\c:\nttnhb.exec:\nttnhb.exe81⤵PID:3536
-
\??\c:\vdddp.exec:\vdddp.exe82⤵PID:4080
-
\??\c:\dvvpj.exec:\dvvpj.exe83⤵PID:548
-
\??\c:\ffxxffr.exec:\ffxxffr.exe84⤵PID:1612
-
\??\c:\9bnnbt.exec:\9bnnbt.exe85⤵PID:2920
-
\??\c:\dpjpj.exec:\dpjpj.exe86⤵PID:1504
-
\??\c:\7fffxxx.exec:\7fffxxx.exe87⤵PID:4360
-
\??\c:\tnhtnh.exec:\tnhtnh.exe88⤵PID:1648
-
\??\c:\nbbthh.exec:\nbbthh.exe89⤵PID:4160
-
\??\c:\pjpjd.exec:\pjpjd.exe90⤵PID:1860
-
\??\c:\rrrflfr.exec:\rrrflfr.exe91⤵PID:4396
-
\??\c:\vpvvp.exec:\vpvvp.exe92⤵PID:668
-
\??\c:\xxllxxx.exec:\xxllxxx.exe93⤵PID:2352
-
\??\c:\lffxxxx.exec:\lffxxxx.exe94⤵PID:1520
-
\??\c:\bbbhhh.exec:\bbbhhh.exe95⤵PID:1552
-
\??\c:\jjvjd.exec:\jjvjd.exe96⤵PID:2656
-
\??\c:\ppdjj.exec:\ppdjj.exe97⤵PID:2300
-
\??\c:\rfffxfr.exec:\rfffxfr.exe98⤵PID:1844
-
\??\c:\9flrxxl.exec:\9flrxxl.exe99⤵
- System Location Discovery: System Language Discovery
PID:2364 -
\??\c:\nnttnb.exec:\nnttnb.exe100⤵PID:1532
-
\??\c:\ntbbbn.exec:\ntbbbn.exe101⤵PID:4108
-
\??\c:\lflllll.exec:\lflllll.exe102⤵PID:2228
-
\??\c:\tbbtnn.exec:\tbbtnn.exe103⤵PID:432
-
\??\c:\jvddd.exec:\jvddd.exe104⤵PID:4984
-
\??\c:\xxxxrxx.exec:\xxxxrxx.exe105⤵PID:2324
-
\??\c:\hhhhbt.exec:\hhhhbt.exe106⤵PID:808
-
\??\c:\5dppd.exec:\5dppd.exe107⤵PID:2084
-
\??\c:\vvdvp.exec:\vvdvp.exe108⤵PID:1020
-
\??\c:\htbtbh.exec:\htbtbh.exe109⤵PID:3948
-
\??\c:\dvdvd.exec:\dvdvd.exe110⤵PID:1768
-
\??\c:\lrrfflr.exec:\lrrfflr.exe111⤵PID:4400
-
\??\c:\bbnhnn.exec:\bbnhnn.exe112⤵PID:5076
-
\??\c:\5thhth.exec:\5thhth.exe113⤵PID:1752
-
\??\c:\xlxrfxx.exec:\xlxrfxx.exe114⤵PID:3304
-
\??\c:\flfrfxr.exec:\flfrfxr.exe115⤵PID:1984
-
\??\c:\nhhbbb.exec:\nhhbbb.exe116⤵PID:4212
-
\??\c:\3jpjd.exec:\3jpjd.exe117⤵PID:4488
-
\??\c:\vpvvp.exec:\vpvvp.exe118⤵PID:4444
-
\??\c:\lrfxxxl.exec:\lrfxxxl.exe119⤵PID:4960
-
\??\c:\nttnnh.exec:\nttnnh.exe120⤵PID:4328
-
\??\c:\thtbth.exec:\thtbth.exe121⤵PID:3932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-