Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 09:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d4111ea12153eb1ba1e6dbcbf059b41b_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
6 signatures
150 seconds
General
-
Target
d4111ea12153eb1ba1e6dbcbf059b41b_JaffaCakes118.exe
-
Size
357KB
-
MD5
d4111ea12153eb1ba1e6dbcbf059b41b
-
SHA1
40c377a5e609badbb85113adc8b17122c9ecba64
-
SHA256
2f01cd6060931fb726f8f030c7f9c3e30c28a30669a1cb314ff2605da3d5cc9d
-
SHA512
c3737e0b7172ecebd258fab4eda1bf3d8b537ce1ee07bd818a0a6ef02230153356e878be95cdf62a918485990e062a7f11badc04235f1606f5e2c2f5e7d4a2d4
-
SSDEEP
3072:PhOm2sI93UufdC67cihfmCiiiXAsACF486jFX8fkYtB6J6eUTV4aTHDaLJ:Pcm7ImGddXtWrXD486jFX88Y/eUBnc
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3792-5-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1900-13-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3688-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2400-23-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/776-29-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2128-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4892-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4720-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/244-52-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/960-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1892-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2284-81-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3704-85-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3044-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3472-94-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1044-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4976-115-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/836-122-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4580-133-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2064-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/716-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/708-152-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4804-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3976-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4764-174-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4020-197-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4972-201-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2952-205-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4324-216-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4332-220-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/464-230-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5056-234-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4536-238-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1404-245-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1072-252-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1400-262-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4984-266-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4328-270-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3336-277-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2248-284-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/964-302-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2820-327-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4448-334-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2944-341-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/720-363-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/436-376-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3616-380-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4348-394-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1872-407-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/740-417-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2620-454-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4384-491-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2136-510-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4892-593-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4764-696-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3900-721-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4912-810-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2580-853-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1180-875-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5068-1021-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4628-1136-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4348-1433-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4580-1528-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1060-1661-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1900 vpvpp.exe 3688 rllfxrl.exe 2400 vvvjv.exe 776 5bnbtt.exe 2128 xrfxrxr.exe 4892 tttnhn.exe 4720 pvvpp.exe 244 hbttnn.exe 2184 ddppp.exe 4872 7ffxxxr.exe 960 ttnhbb.exe 1892 vdpvj.exe 2284 xlrlffr.exe 3704 hnhhbb.exe 3044 vvddv.exe 3472 nbhbbb.exe 1044 btthbb.exe 1876 pjvpj.exe 4976 xflfxrr.exe 836 btnhhh.exe 4036 lfxrffx.exe 4580 rrrfxxl.exe 2484 jdpjj.exe 2064 1jvpd.exe 708 fxlffff.exe 716 hbhhhn.exe 4804 3dpjj.exe 3976 1lffrrl.exe 4764 nbnnnn.exe 448 frlxrrr.exe 1436 5llxrlr.exe 4132 jjpjv.exe 2744 rfxrxrf.exe 2392 tnbtnh.exe 4020 3tbthh.exe 4972 pddvj.exe 2952 rlrlfff.exe 3112 hbbhbb.exe 4852 1bnhhh.exe 4324 jjpjd.exe 4332 xllrfxr.exe 556 nnhbtt.exe 1872 tttnhh.exe 464 vjdvp.exe 5056 jjppj.exe 4536 lfrlffx.exe 4808 httnhb.exe 1404 9bnhbt.exe 1908 vpvpj.exe 1072 xllfxrl.exe 2348 lfllfxx.exe 116 7bhbhb.exe 1400 vjjvp.exe 4984 ddddp.exe 2304 xxffxxr.exe 4328 9nttnh.exe 3336 jddvp.exe 960 jpvvp.exe 2248 fxffxrr.exe 4532 tbtnhh.exe 4060 tnbtnt.exe 2284 pdjdv.exe 4692 frxrffx.exe 964 3tnhht.exe -
resource yara_rule behavioral2/memory/3792-5-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1900-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3688-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3688-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2400-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/776-29-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2128-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4892-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4720-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/244-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/960-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1892-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2284-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3704-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3044-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3472-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1044-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4976-115-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/836-122-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4580-133-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2064-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/716-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/708-152-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4804-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3976-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4764-174-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4020-197-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4972-201-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2952-205-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4324-216-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4332-220-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/464-230-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5056-234-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4536-238-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1404-245-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1072-252-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1400-262-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4984-266-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4328-270-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3336-277-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2248-284-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/116-291-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/964-302-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2820-327-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4448-334-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2944-341-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/720-363-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/436-376-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3616-380-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4348-394-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1872-407-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/740-417-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2620-454-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4384-491-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2136-510-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1748-550-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4892-593-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4764-696-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3900-721-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4912-806-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4912-810-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2580-853-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1180-875-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5068-1021-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llxrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fflfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3792 wrote to memory of 1900 3792 d4111ea12153eb1ba1e6dbcbf059b41b_JaffaCakes118.exe 83 PID 3792 wrote to memory of 1900 3792 d4111ea12153eb1ba1e6dbcbf059b41b_JaffaCakes118.exe 83 PID 3792 wrote to memory of 1900 3792 d4111ea12153eb1ba1e6dbcbf059b41b_JaffaCakes118.exe 83 PID 1900 wrote to memory of 3688 1900 vpvpp.exe 84 PID 1900 wrote to memory of 3688 1900 vpvpp.exe 84 PID 1900 wrote to memory of 3688 1900 vpvpp.exe 84 PID 3688 wrote to memory of 2400 3688 rllfxrl.exe 85 PID 3688 wrote to memory of 2400 3688 rllfxrl.exe 85 PID 3688 wrote to memory of 2400 3688 rllfxrl.exe 85 PID 2400 wrote to memory of 776 2400 vvvjv.exe 87 PID 2400 wrote to memory of 776 2400 vvvjv.exe 87 PID 2400 wrote to memory of 776 2400 vvvjv.exe 87 PID 776 wrote to memory of 2128 776 5bnbtt.exe 88 PID 776 wrote to memory of 2128 776 5bnbtt.exe 88 PID 776 wrote to memory of 2128 776 5bnbtt.exe 88 PID 2128 wrote to memory of 4892 2128 xrfxrxr.exe 90 PID 2128 wrote to memory of 4892 2128 xrfxrxr.exe 90 PID 2128 wrote to memory of 4892 2128 xrfxrxr.exe 90 PID 4892 wrote to memory of 4720 4892 tttnhn.exe 91 PID 4892 wrote to memory of 4720 4892 tttnhn.exe 91 PID 4892 wrote to memory of 4720 4892 tttnhn.exe 91 PID 4720 wrote to memory of 244 4720 pvvpp.exe 92 PID 4720 wrote to memory of 244 4720 pvvpp.exe 92 PID 4720 wrote to memory of 244 4720 pvvpp.exe 92 PID 244 wrote to memory of 2184 244 hbttnn.exe 93 PID 244 wrote to memory of 2184 244 hbttnn.exe 93 PID 244 wrote to memory of 2184 244 hbttnn.exe 93 PID 2184 wrote to memory of 4872 2184 ddppp.exe 95 PID 2184 wrote to memory of 4872 2184 ddppp.exe 95 PID 2184 wrote to memory of 4872 2184 ddppp.exe 95 PID 4872 wrote to memory of 960 4872 7ffxxxr.exe 96 PID 4872 wrote to memory of 960 4872 7ffxxxr.exe 96 PID 4872 wrote to memory of 960 4872 7ffxxxr.exe 96 PID 960 wrote to memory of 1892 960 ttnhbb.exe 97 PID 960 wrote to memory of 1892 960 ttnhbb.exe 97 PID 960 wrote to memory of 1892 960 ttnhbb.exe 97 PID 1892 wrote to memory of 2284 1892 vdpvj.exe 98 PID 1892 wrote to memory of 2284 1892 vdpvj.exe 98 PID 1892 wrote to memory of 2284 1892 vdpvj.exe 98 PID 2284 wrote to memory of 3704 2284 xlrlffr.exe 99 PID 2284 wrote to memory of 3704 2284 xlrlffr.exe 99 PID 2284 wrote to memory of 3704 2284 xlrlffr.exe 99 PID 3704 wrote to memory of 3044 3704 hnhhbb.exe 100 PID 3704 wrote to memory of 3044 3704 hnhhbb.exe 100 PID 3704 wrote to memory of 3044 3704 hnhhbb.exe 100 PID 3044 wrote to memory of 3472 3044 vvddv.exe 101 PID 3044 wrote to memory of 3472 3044 vvddv.exe 101 PID 3044 wrote to memory of 3472 3044 vvddv.exe 101 PID 3472 wrote to memory of 1044 3472 nbhbbb.exe 102 PID 3472 wrote to memory of 1044 3472 nbhbbb.exe 102 PID 3472 wrote to memory of 1044 3472 nbhbbb.exe 102 PID 1044 wrote to memory of 1876 1044 btthbb.exe 103 PID 1044 wrote to memory of 1876 1044 btthbb.exe 103 PID 1044 wrote to memory of 1876 1044 btthbb.exe 103 PID 1876 wrote to memory of 4976 1876 pjvpj.exe 104 PID 1876 wrote to memory of 4976 1876 pjvpj.exe 104 PID 1876 wrote to memory of 4976 1876 pjvpj.exe 104 PID 4976 wrote to memory of 836 4976 xflfxrr.exe 105 PID 4976 wrote to memory of 836 4976 xflfxrr.exe 105 PID 4976 wrote to memory of 836 4976 xflfxrr.exe 105 PID 836 wrote to memory of 4036 836 btnhhh.exe 106 PID 836 wrote to memory of 4036 836 btnhhh.exe 106 PID 836 wrote to memory of 4036 836 btnhhh.exe 106 PID 4036 wrote to memory of 4580 4036 lfxrffx.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4111ea12153eb1ba1e6dbcbf059b41b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d4111ea12153eb1ba1e6dbcbf059b41b_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3792 -
\??\c:\vpvpp.exec:\vpvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\rllfxrl.exec:\rllfxrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\vvvjv.exec:\vvvjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\5bnbtt.exec:\5bnbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\xrfxrxr.exec:\xrfxrxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\tttnhn.exec:\tttnhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\pvvpp.exec:\pvvpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\hbttnn.exec:\hbttnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
\??\c:\ddppp.exec:\ddppp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\7ffxxxr.exec:\7ffxxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\ttnhbb.exec:\ttnhbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
\??\c:\vdpvj.exec:\vdpvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\xlrlffr.exec:\xlrlffr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\hnhhbb.exec:\hnhhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\vvddv.exec:\vvddv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\nbhbbb.exec:\nbhbbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\btthbb.exec:\btthbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\pjvpj.exec:\pjvpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\xflfxrr.exec:\xflfxrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\btnhhh.exec:\btnhhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\lfxrffx.exec:\lfxrffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\rrrfxxl.exec:\rrrfxxl.exe23⤵
- Executes dropped EXE
PID:4580 -
\??\c:\jdpjj.exec:\jdpjj.exe24⤵
- Executes dropped EXE
PID:2484 -
\??\c:\1jvpd.exec:\1jvpd.exe25⤵
- Executes dropped EXE
PID:2064 -
\??\c:\fxlffff.exec:\fxlffff.exe26⤵
- Executes dropped EXE
PID:708 -
\??\c:\hbhhhn.exec:\hbhhhn.exe27⤵
- Executes dropped EXE
PID:716 -
\??\c:\3dpjj.exec:\3dpjj.exe28⤵
- Executes dropped EXE
PID:4804 -
\??\c:\1lffrrl.exec:\1lffrrl.exe29⤵
- Executes dropped EXE
PID:3976 -
\??\c:\nbnnnn.exec:\nbnnnn.exe30⤵
- Executes dropped EXE
PID:4764 -
\??\c:\frlxrrr.exec:\frlxrrr.exe31⤵
- Executes dropped EXE
PID:448 -
\??\c:\5llxrlr.exec:\5llxrlr.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1436 -
\??\c:\jjpjv.exec:\jjpjv.exe33⤵
- Executes dropped EXE
PID:4132 -
\??\c:\rfxrxrf.exec:\rfxrxrf.exe34⤵
- Executes dropped EXE
PID:2744 -
\??\c:\tnbtnh.exec:\tnbtnh.exe35⤵
- Executes dropped EXE
PID:2392 -
\??\c:\3tbthh.exec:\3tbthh.exe36⤵
- Executes dropped EXE
PID:4020 -
\??\c:\pddvj.exec:\pddvj.exe37⤵
- Executes dropped EXE
PID:4972 -
\??\c:\rlrlfff.exec:\rlrlfff.exe38⤵
- Executes dropped EXE
PID:2952 -
\??\c:\hbbhbb.exec:\hbbhbb.exe39⤵
- Executes dropped EXE
PID:3112 -
\??\c:\1bnhhh.exec:\1bnhhh.exe40⤵
- Executes dropped EXE
PID:4852 -
\??\c:\jjpjd.exec:\jjpjd.exe41⤵
- Executes dropped EXE
PID:4324 -
\??\c:\xllrfxr.exec:\xllrfxr.exe42⤵
- Executes dropped EXE
PID:4332 -
\??\c:\nnhbtt.exec:\nnhbtt.exe43⤵
- Executes dropped EXE
PID:556 -
\??\c:\tttnhh.exec:\tttnhh.exe44⤵
- Executes dropped EXE
PID:1872 -
\??\c:\vjdvp.exec:\vjdvp.exe45⤵
- Executes dropped EXE
PID:464 -
\??\c:\jjppj.exec:\jjppj.exe46⤵
- Executes dropped EXE
PID:5056 -
\??\c:\lfrlffx.exec:\lfrlffx.exe47⤵
- Executes dropped EXE
PID:4536 -
\??\c:\httnhb.exec:\httnhb.exe48⤵
- Executes dropped EXE
PID:4808 -
\??\c:\9bnhbt.exec:\9bnhbt.exe49⤵
- Executes dropped EXE
PID:1404 -
\??\c:\vpvpj.exec:\vpvpj.exe50⤵
- Executes dropped EXE
PID:1908 -
\??\c:\xllfxrl.exec:\xllfxrl.exe51⤵
- Executes dropped EXE
PID:1072 -
\??\c:\lfllfxx.exec:\lfllfxx.exe52⤵
- Executes dropped EXE
PID:2348 -
\??\c:\7bhbhb.exec:\7bhbhb.exe53⤵
- Executes dropped EXE
PID:116 -
\??\c:\vjjvp.exec:\vjjvp.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1400 -
\??\c:\ddddp.exec:\ddddp.exe55⤵
- Executes dropped EXE
PID:4984 -
\??\c:\xxffxxr.exec:\xxffxxr.exe56⤵
- Executes dropped EXE
PID:2304 -
\??\c:\9nttnh.exec:\9nttnh.exe57⤵
- Executes dropped EXE
PID:4328 -
\??\c:\jddvp.exec:\jddvp.exe58⤵
- Executes dropped EXE
PID:3336 -
\??\c:\jpvvp.exec:\jpvvp.exe59⤵
- Executes dropped EXE
PID:960 -
\??\c:\fxffxrr.exec:\fxffxrr.exe60⤵
- Executes dropped EXE
PID:2248 -
\??\c:\tbtnhh.exec:\tbtnhh.exe61⤵
- Executes dropped EXE
PID:4532 -
\??\c:\tnbtnt.exec:\tnbtnt.exe62⤵
- Executes dropped EXE
PID:4060 -
\??\c:\pdjdv.exec:\pdjdv.exe63⤵
- Executes dropped EXE
PID:2284 -
\??\c:\frxrffx.exec:\frxrffx.exe64⤵
- Executes dropped EXE
PID:4692 -
\??\c:\3tnhht.exec:\3tnhht.exe65⤵
- Executes dropped EXE
PID:964 -
\??\c:\hntnhh.exec:\hntnhh.exe66⤵PID:3292
-
\??\c:\pjjjd.exec:\pjjjd.exe67⤵PID:428
-
\??\c:\lfxxrxr.exec:\lfxxrxr.exe68⤵PID:212
-
\??\c:\rrfxlll.exec:\rrfxlll.exe69⤵PID:2088
-
\??\c:\bttbbn.exec:\bttbbn.exe70⤵PID:1352
-
\??\c:\1pjdv.exec:\1pjdv.exe71⤵PID:1336
-
\??\c:\jdppp.exec:\jdppp.exe72⤵PID:1140
-
\??\c:\ffrlrlx.exec:\ffrlrlx.exe73⤵PID:2820
-
\??\c:\flrrllf.exec:\flrrllf.exe74⤵PID:5068
-
\??\c:\ntbtnh.exec:\ntbtnh.exe75⤵PID:4448
-
\??\c:\dpppp.exec:\dpppp.exe76⤵PID:2508
-
\??\c:\dpddv.exec:\dpddv.exe77⤵PID:2944
-
\??\c:\fxlrxrx.exec:\fxlrxrx.exe78⤵PID:3512
-
\??\c:\thnhbt.exec:\thnhbt.exe79⤵PID:716
-
\??\c:\ttnhbb.exec:\ttnhbb.exe80⤵PID:2408
-
\??\c:\jdpjd.exec:\jdpjd.exe81⤵PID:4228
-
\??\c:\5pppj.exec:\5pppj.exe82⤵PID:2364
-
\??\c:\xlrlllf.exec:\xlrlllf.exe83⤵PID:3576
-
\??\c:\9xrllff.exec:\9xrllff.exe84⤵PID:720
-
\??\c:\bnttht.exec:\bnttht.exe85⤵PID:3540
-
\??\c:\nhhbbb.exec:\nhhbbb.exe86⤵PID:636
-
\??\c:\vpvdv.exec:\vpvdv.exe87⤵PID:3900
-
\??\c:\xffxrrf.exec:\xffxrrf.exe88⤵PID:436
-
\??\c:\1fllllr.exec:\1fllllr.exe89⤵PID:3616
-
\??\c:\bbbhht.exec:\bbbhht.exe90⤵PID:1188
-
\??\c:\7djdv.exec:\7djdv.exe91⤵PID:5116
-
\??\c:\vddvp.exec:\vddvp.exe92⤵PID:4588
-
\??\c:\lxrlfff.exec:\lxrlfff.exe93⤵PID:2588
-
\??\c:\rrlxlxf.exec:\rrlxlxf.exe94⤵PID:4348
-
\??\c:\ttnhbb.exec:\ttnhbb.exe95⤵PID:4100
-
\??\c:\9pddv.exec:\9pddv.exe96⤵PID:3792
-
\??\c:\vjjdv.exec:\vjjdv.exe97⤵PID:556
-
\??\c:\lxfxxrr.exec:\lxfxxrr.exe98⤵PID:1872
-
\??\c:\nnttnn.exec:\nnttnn.exe99⤵PID:5052
-
\??\c:\tnnhbt.exec:\tnnhbt.exe100⤵PID:2360
-
\??\c:\vppjd.exec:\vppjd.exe101⤵PID:740
-
\??\c:\pdjdv.exec:\pdjdv.exe102⤵PID:4808
-
\??\c:\llfxxxr.exec:\llfxxxr.exe103⤵PID:1000
-
\??\c:\thhhbh.exec:\thhhbh.exe104⤵PID:3936
-
\??\c:\vvjdd.exec:\vvjdd.exe105⤵PID:1072
-
\??\c:\7rrrllf.exec:\7rrrllf.exe106⤵PID:1640
-
\??\c:\ffllfrl.exec:\ffllfrl.exe107⤵PID:2524
-
\??\c:\bnnnhh.exec:\bnnnhh.exe108⤵PID:1400
-
\??\c:\jddvj.exec:\jddvj.exe109⤵PID:4360
-
\??\c:\ppvvd.exec:\ppvvd.exe110⤵PID:2296
-
\??\c:\llfxllf.exec:\llfxllf.exe111⤵PID:1620
-
\??\c:\tbhbbb.exec:\tbhbbb.exe112⤵PID:2196
-
\??\c:\hhbtbb.exec:\hhbtbb.exe113⤵PID:2620
-
\??\c:\vppjd.exec:\vppjd.exe114⤵PID:960
-
\??\c:\vvvdv.exec:\vvvdv.exe115⤵PID:2628
-
\??\c:\lffxxxr.exec:\lffxxxr.exe116⤵PID:2020
-
\??\c:\htbtnn.exec:\htbtnn.exe117⤵PID:5064
-
\??\c:\bbnhnn.exec:\bbnhnn.exe118⤵PID:2284
-
\??\c:\3dvpd.exec:\3dvpd.exe119⤵PID:3544
-
\??\c:\rrrrxxf.exec:\rrrrxxf.exe120⤵PID:1868
-
\??\c:\7tttnn.exec:\7tttnn.exe121⤵PID:3472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-