Malware Analysis Report

2025-01-22 13:49

Sample ID 240908-tb19yaxbjb
Target d4b8a82a729cdf72567046b7555a0922_JaffaCakes118
SHA256 66a12501efa03a9f5963f7b5bef2a4062e0e534ecc1a496cdc00cf60470d2e16
Tags
njrat hacked discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66a12501efa03a9f5963f7b5bef2a4062e0e534ecc1a496cdc00cf60470d2e16

Threat Level: Known bad

The file d4b8a82a729cdf72567046b7555a0922_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

njrat hacked discovery persistence trojan

njRAT/Bladabindi

Loads dropped DLL

Checks computer location settings

Drops startup file

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-08 15:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-08 15:53

Reported

2024-09-08 15:56

Platform

win7-20240903-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Audio Realtek Driver.exe" C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
PID 2096 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
PID 2096 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
PID 2096 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
PID 2096 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
PID 2096 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
PID 2096 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
PID 2096 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
PID 2096 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
PID 3048 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 3048 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 3048 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 3048 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 3048 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Windows\SysWOW64\attrib.exe
PID 3048 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Windows\SysWOW64\attrib.exe
PID 3048 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Windows\SysWOW64\attrib.exe
PID 3048 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Windows\SysWOW64\attrib.exe
PID 2256 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2256 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2256 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2256 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2256 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2256 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2256 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2256 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2256 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2944 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2944 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2944 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2944 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2944 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2944 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2944 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2944 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe

"C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"

C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe

"C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 anunankis1.duckdns.org udp
US 8.8.8.8:53 anunankis1.duckdns.org udp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
US 8.8.8.8:53 anunankis1.duckdns.org udp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp

Files

memory/2096-0-0x0000000074E5E000-0x0000000074E5F000-memory.dmp

memory/2096-1-0x00000000008B0000-0x00000000008E4000-memory.dmp

memory/2096-2-0x0000000074E50000-0x000000007553E000-memory.dmp

memory/2096-3-0x00000000003B0000-0x00000000003B8000-memory.dmp

memory/3048-7-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3048-10-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3048-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3048-6-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3048-5-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3048-4-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3048-12-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3048-14-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2096-15-0x0000000074E50000-0x000000007553E000-memory.dmp

memory/3048-16-0x0000000074E50000-0x000000007553E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe

MD5 d4b8a82a729cdf72567046b7555a0922
SHA1 3f64f0fe9528075fd128d9a4d4591f15d095e268
SHA256 66a12501efa03a9f5963f7b5bef2a4062e0e534ecc1a496cdc00cf60470d2e16
SHA512 22304948535d84940b3f2aaf9ad6553865c3328c3ba897cc1c36928ec813127e41395a44dc5f2db3799bdeb7ae2491eeb6ffba8eff18d065860570839e19fb10

memory/3048-27-0x0000000074E50000-0x000000007553E000-memory.dmp

memory/2256-26-0x00000000000A0000-0x00000000000D4000-memory.dmp

memory/2944-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 e1d45e45044687dab3a6d0632db13944
SHA1 899a5d21fc82511f1958f529f7a8cb07fca318a9
SHA256 cf1c0a075333927031717773ab95451514e865ea03dfbbadfb4ec20316af0149
SHA512 7643e22b5b86ef3847ca78aa6c6bd6f00823e5277832750cf4bf00975088a7dfb4143ab97c50ebbac4698b062e452aaf01efc070fc3801cb82659800bed66690

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 aab0594dc0ccf72394edb0350a86b3f1
SHA1 213f977d9d4b23d8ad554e86c2993d373bab6302
SHA256 cbd65a8650c6b50d91ccdede66a06aaf39709cbe2a8e18d0c96c7d5cbd8506ca
SHA512 dc4fd43d6641c93aed49613704bffab906cbc10f2aa7a3945ce02e6eff299c165cd459e8b047e836ae38871517bfdfe9b2e1fa59b45f9e28d429866b739da16e

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-08 15:53

Reported

2024-09-08 15:56

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Audio Realtek Driver.exe" C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3600 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
PID 3600 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
PID 3600 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
PID 3600 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
PID 3600 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
PID 3600 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
PID 3600 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
PID 3600 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
PID 1280 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 1280 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 1280 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 1280 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Windows\SysWOW64\attrib.exe
PID 1280 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Windows\SysWOW64\attrib.exe
PID 1280 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe C:\Windows\SysWOW64\attrib.exe
PID 4244 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 4244 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 4244 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 4244 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 4244 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 4244 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 4244 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 4244 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 880 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 880 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 880 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 880 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 880 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 880 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe

"C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"

C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe

"C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 anunankis1.duckdns.org udp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
US 8.8.8.8:53 103.157.213.83.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 anunankis1.duckdns.org udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp

Files

memory/3600-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp

memory/3600-1-0x0000000000920000-0x0000000000954000-memory.dmp

memory/3600-2-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/3600-3-0x0000000005230000-0x0000000005238000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/1280-8-0x0000000000340000-0x000000000034E000-memory.dmp

memory/1280-7-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/3600-10-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/1280-9-0x0000000004B20000-0x0000000004BBC000-memory.dmp

memory/1280-13-0x00000000058B0000-0x0000000005E54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe

MD5 d4b8a82a729cdf72567046b7555a0922
SHA1 3f64f0fe9528075fd128d9a4d4591f15d095e268
SHA256 66a12501efa03a9f5963f7b5bef2a4062e0e534ecc1a496cdc00cf60470d2e16
SHA512 22304948535d84940b3f2aaf9ad6553865c3328c3ba897cc1c36928ec813127e41395a44dc5f2db3799bdeb7ae2491eeb6ffba8eff18d065860570839e19fb10

memory/1280-25-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/4244-30-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/880-32-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/4244-31-0x0000000074D60000-0x0000000075510000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 a17b27701b4d3b5b39d174f9f3c17841
SHA1 4d98b658d09730704e6eb03ebd0b51a8d811c5ef
SHA256 7bd2938ce6d76d4948188221641210ea9aa9110ea3318cdadab3c87d8f7d16d1
SHA512 a6888617bb82d5d4c343975f46087b2b639aa26b546ceba4f2009be3f55ba1fe3b122d76b08c24c3df9b605251b2dbc6d50e2de602d1e346b035fe1eb301fc63

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 2641fd48c1124a998eaa69132458026a
SHA1 494e0e3624a2c4020d575d1786c97dcebd5fafa4
SHA256 f5bf3bd1b542b36da83bec822bbfabb6ccb0176e47ec869719b18d0cbfc65dbb
SHA512 fc4411e7b12ef8ffa2edc6b751352b13a64ababb19830d773cf6bdac05b3e23de15d88ac80c842c4da2ca4194a953b4d342a14dc2f8a357cb3b243a55c3d15c4

memory/880-37-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/880-38-0x00000000055F0000-0x0000000005682000-memory.dmp

memory/880-39-0x00000000055E0000-0x00000000055EA000-memory.dmp

memory/880-40-0x0000000005840000-0x00000000058A6000-memory.dmp