Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 09:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f5aea7ea840e3599af7bba8f765a981c_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
f5aea7ea840e3599af7bba8f765a981c_JaffaCakes118.exe
-
Size
195KB
-
MD5
f5aea7ea840e3599af7bba8f765a981c
-
SHA1
eab5a34783ee085e2f9276700bdb4e26c64f559c
-
SHA256
ee8cc67402655c1bf1271a5a105c13fd230dd4cabacb54bc0e38e0432ad2d9fc
-
SHA512
4488817177bc485a7c28a6ca0850775d75c7cab816cabffb1c7d785f277ccd572c21d3218f37b41f9c7f20f5876fd5ddfff78671d913e39af5b3df22c9738b58
-
SSDEEP
1536:PvQBeOGtrYSSsrc93UBIfdC67m6AJiqyShdzr08QaVz9kv:PhOm2sI93UufdC67cih8hE7v
Malware Config
Signatures
-
Detect Blackmoon payload 58 IoCs
resource yara_rule behavioral1/memory/3008-9-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1992-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2420-27-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2372-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2420-29-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2420-24-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2864-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2744-51-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2748-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2432-75-0x00000000001B0000-0x00000000001D9000-memory.dmp family_blackmoon behavioral1/memory/2832-85-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2744-84-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2924-94-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2644-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2648-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/940-126-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2320-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1620-163-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1936-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2152-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1796-206-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1536-217-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1796-237-0x00000000001B0000-0x00000000001D9000-memory.dmp family_blackmoon behavioral1/memory/2504-236-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/316-270-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2960-273-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2960-280-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2428-289-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2500-319-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2912-326-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2724-345-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2812-378-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/3052-411-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2904-433-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1936-453-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2636-461-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2636-460-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2052-480-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2556-487-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2556-488-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2124-495-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2564-562-0x0000000000250000-0x0000000000279000-memory.dmp family_blackmoon behavioral1/memory/1668-600-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/868-692-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1596-705-0x00000000001B0000-0x00000000001D9000-memory.dmp family_blackmoon behavioral1/memory/1820-710-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/868-713-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1308-721-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1536-767-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2108-770-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2108-775-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/884-837-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/884-858-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2140-866-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2440-903-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2848-911-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2848-909-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2272-918-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1992 pdvvd.exe 2420 1lfflfr.exe 2372 frlrxlx.exe 2864 thbnnn.exe 2744 3thtbn.exe 2748 tbbbbh.exe 2432 jpppd.exe 2832 lllrxlf.exe 2924 9tntth.exe 2644 rrffrxl.exe 2648 hbnthh.exe 940 pjpvv.exe 3032 lffrlrf.exe 2060 hbtnbb.exe 2320 jjvpj.exe 1620 rrrxrxr.exe 1936 bhthbn.exe 1304 hbbnbt.exe 2152 rlxxllx.exe 2220 ffxfxxl.exe 1796 hnbhth.exe 1536 pvdjp.exe 448 hthhhh.exe 2504 pjddj.exe 908 fxxxffr.exe 1528 bnbhtb.exe 344 vdvvd.exe 316 rlfxrlx.exe 2960 1tbbbh.exe 2428 dvjjj.exe 2496 xrlrlrf.exe 788 btbhnn.exe 1984 3pdvj.exe 2500 frlrxfl.exe 2912 lxffxxl.exe 2352 3htnnn.exe 2020 1dvpj.exe 2724 lxflrll.exe 2824 rlrxllr.exe 2408 jjpjj.exe 2748 vvpdj.exe 2704 lfrfllr.exe 2812 xllrflx.exe 2732 btbbnn.exe 2652 ddddv.exe 2640 xxxflrr.exe 2304 lfrlxfl.exe 3052 3nhhhn.exe 1864 jvddp.exe 860 rlxlflx.exe 840 lflfxfx.exe 2904 bhbnbn.exe 2036 ddpjp.exe 1936 5rllxxl.exe 2636 rflrlrf.exe 2252 tbttnh.exe 2152 pjdjp.exe 2052 pjvjv.exe 2556 1rllxfr.exe 2124 nhbnbh.exe 352 hntntt.exe 2080 1jvpj.exe 284 rlfxrll.exe 1748 rxxxflx.exe -
resource yara_rule behavioral1/memory/3008-9-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1992-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2372-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2420-29-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2864-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2744-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2748-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2832-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2924-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2644-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2648-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/940-117-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2648-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/940-126-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2320-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1620-163-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1936-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2152-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1796-206-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1536-217-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2504-236-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/316-270-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2960-273-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2428-289-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2500-319-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2912-326-0x0000000000220000-0x0000000000249000-memory.dmp upx behavioral1/memory/2724-345-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2812-378-0x0000000000220000-0x0000000000249000-memory.dmp upx behavioral1/memory/3052-411-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2904-433-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1936-453-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2636-461-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2052-480-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2556-487-0x0000000000220000-0x0000000000249000-memory.dmp upx behavioral1/memory/2556-488-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2564-562-0x0000000000250000-0x0000000000279000-memory.dmp upx behavioral1/memory/2264-579-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1668-600-0x0000000000220000-0x0000000000249000-memory.dmp upx behavioral1/memory/2744-617-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2712-636-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2640-667-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1308-714-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1536-767-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2108-775-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/592-818-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2140-859-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2440-903-0x0000000000220000-0x0000000000249000-memory.dmp upx behavioral1/memory/2848-909-0x0000000000220000-0x0000000000249000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxffrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrxrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bththh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdjp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3008 wrote to memory of 1992 3008 f5aea7ea840e3599af7bba8f765a981c_JaffaCakes118.exe 30 PID 3008 wrote to memory of 1992 3008 f5aea7ea840e3599af7bba8f765a981c_JaffaCakes118.exe 30 PID 3008 wrote to memory of 1992 3008 f5aea7ea840e3599af7bba8f765a981c_JaffaCakes118.exe 30 PID 3008 wrote to memory of 1992 3008 f5aea7ea840e3599af7bba8f765a981c_JaffaCakes118.exe 30 PID 1992 wrote to memory of 2420 1992 pdvvd.exe 31 PID 1992 wrote to memory of 2420 1992 pdvvd.exe 31 PID 1992 wrote to memory of 2420 1992 pdvvd.exe 31 PID 1992 wrote to memory of 2420 1992 pdvvd.exe 31 PID 2420 wrote to memory of 2372 2420 1lfflfr.exe 32 PID 2420 wrote to memory of 2372 2420 1lfflfr.exe 32 PID 2420 wrote to memory of 2372 2420 1lfflfr.exe 32 PID 2420 wrote to memory of 2372 2420 1lfflfr.exe 32 PID 2372 wrote to memory of 2864 2372 frlrxlx.exe 33 PID 2372 wrote to memory of 2864 2372 frlrxlx.exe 33 PID 2372 wrote to memory of 2864 2372 frlrxlx.exe 33 PID 2372 wrote to memory of 2864 2372 frlrxlx.exe 33 PID 2864 wrote to memory of 2744 2864 thbnnn.exe 34 PID 2864 wrote to memory of 2744 2864 thbnnn.exe 34 PID 2864 wrote to memory of 2744 2864 thbnnn.exe 34 PID 2864 wrote to memory of 2744 2864 thbnnn.exe 34 PID 2744 wrote to memory of 2748 2744 3thtbn.exe 35 PID 2744 wrote to memory of 2748 2744 3thtbn.exe 35 PID 2744 wrote to memory of 2748 2744 3thtbn.exe 35 PID 2744 wrote to memory of 2748 2744 3thtbn.exe 35 PID 2748 wrote to memory of 2432 2748 tbbbbh.exe 36 PID 2748 wrote to memory of 2432 2748 tbbbbh.exe 36 PID 2748 wrote to memory of 2432 2748 tbbbbh.exe 36 PID 2748 wrote to memory of 2432 2748 tbbbbh.exe 36 PID 2432 wrote to memory of 2832 2432 jpppd.exe 37 PID 2432 wrote to memory of 2832 2432 jpppd.exe 37 PID 2432 wrote to memory of 2832 2432 jpppd.exe 37 PID 2432 wrote to memory of 2832 2432 jpppd.exe 37 PID 2832 wrote to memory of 2924 2832 lllrxlf.exe 38 PID 2832 wrote to memory of 2924 2832 lllrxlf.exe 38 PID 2832 wrote to memory of 2924 2832 lllrxlf.exe 38 PID 2832 wrote to memory of 2924 2832 lllrxlf.exe 38 PID 2924 wrote to memory of 2644 2924 9tntth.exe 39 PID 2924 wrote to memory of 2644 2924 9tntth.exe 39 PID 2924 wrote to memory of 2644 2924 9tntth.exe 39 PID 2924 wrote to memory of 2644 2924 9tntth.exe 39 PID 2644 wrote to memory of 2648 2644 rrffrxl.exe 40 PID 2644 wrote to memory of 2648 2644 rrffrxl.exe 40 PID 2644 wrote to memory of 2648 2644 rrffrxl.exe 40 PID 2644 wrote to memory of 2648 2644 rrffrxl.exe 40 PID 2648 wrote to memory of 940 2648 hbnthh.exe 41 PID 2648 wrote to memory of 940 2648 hbnthh.exe 41 PID 2648 wrote to memory of 940 2648 hbnthh.exe 41 PID 2648 wrote to memory of 940 2648 hbnthh.exe 41 PID 940 wrote to memory of 3032 940 pjpvv.exe 42 PID 940 wrote to memory of 3032 940 pjpvv.exe 42 PID 940 wrote to memory of 3032 940 pjpvv.exe 42 PID 940 wrote to memory of 3032 940 pjpvv.exe 42 PID 3032 wrote to memory of 2060 3032 lffrlrf.exe 43 PID 3032 wrote to memory of 2060 3032 lffrlrf.exe 43 PID 3032 wrote to memory of 2060 3032 lffrlrf.exe 43 PID 3032 wrote to memory of 2060 3032 lffrlrf.exe 43 PID 2060 wrote to memory of 2320 2060 hbtnbb.exe 44 PID 2060 wrote to memory of 2320 2060 hbtnbb.exe 44 PID 2060 wrote to memory of 2320 2060 hbtnbb.exe 44 PID 2060 wrote to memory of 2320 2060 hbtnbb.exe 44 PID 2320 wrote to memory of 1620 2320 jjvpj.exe 45 PID 2320 wrote to memory of 1620 2320 jjvpj.exe 45 PID 2320 wrote to memory of 1620 2320 jjvpj.exe 45 PID 2320 wrote to memory of 1620 2320 jjvpj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5aea7ea840e3599af7bba8f765a981c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f5aea7ea840e3599af7bba8f765a981c_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\pdvvd.exec:\pdvvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\1lfflfr.exec:\1lfflfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\frlrxlx.exec:\frlrxlx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\thbnnn.exec:\thbnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\3thtbn.exec:\3thtbn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\tbbbbh.exec:\tbbbbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\jpppd.exec:\jpppd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\lllrxlf.exec:\lllrxlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\9tntth.exec:\9tntth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\rrffrxl.exec:\rrffrxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\hbnthh.exec:\hbnthh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\pjpvv.exec:\pjpvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\lffrlrf.exec:\lffrlrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\hbtnbb.exec:\hbtnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\jjvpj.exec:\jjvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\rrrxrxr.exec:\rrrxrxr.exe17⤵
- Executes dropped EXE
PID:1620 -
\??\c:\bhthbn.exec:\bhthbn.exe18⤵
- Executes dropped EXE
PID:1936 -
\??\c:\hbbnbt.exec:\hbbnbt.exe19⤵
- Executes dropped EXE
PID:1304 -
\??\c:\rlxxllx.exec:\rlxxllx.exe20⤵
- Executes dropped EXE
PID:2152 -
\??\c:\ffxfxxl.exec:\ffxfxxl.exe21⤵
- Executes dropped EXE
PID:2220 -
\??\c:\hnbhth.exec:\hnbhth.exe22⤵
- Executes dropped EXE
PID:1796 -
\??\c:\pvdjp.exec:\pvdjp.exe23⤵
- Executes dropped EXE
PID:1536 -
\??\c:\hthhhh.exec:\hthhhh.exe24⤵
- Executes dropped EXE
PID:448 -
\??\c:\pjddj.exec:\pjddj.exe25⤵
- Executes dropped EXE
PID:2504 -
\??\c:\fxxxffr.exec:\fxxxffr.exe26⤵
- Executes dropped EXE
PID:908 -
\??\c:\bnbhtb.exec:\bnbhtb.exe27⤵
- Executes dropped EXE
PID:1528 -
\??\c:\vdvvd.exec:\vdvvd.exe28⤵
- Executes dropped EXE
PID:344 -
\??\c:\rlfxrlx.exec:\rlfxrlx.exe29⤵
- Executes dropped EXE
PID:316 -
\??\c:\1tbbbh.exec:\1tbbbh.exe30⤵
- Executes dropped EXE
PID:2960 -
\??\c:\dvjjj.exec:\dvjjj.exe31⤵
- Executes dropped EXE
PID:2428 -
\??\c:\xrlrlrf.exec:\xrlrlrf.exe32⤵
- Executes dropped EXE
PID:2496 -
\??\c:\btbhnn.exec:\btbhnn.exe33⤵
- Executes dropped EXE
PID:788 -
\??\c:\3pdvj.exec:\3pdvj.exe34⤵
- Executes dropped EXE
PID:1984 -
\??\c:\frlrxfl.exec:\frlrxfl.exe35⤵
- Executes dropped EXE
PID:2500 -
\??\c:\lxffxxl.exec:\lxffxxl.exe36⤵
- Executes dropped EXE
PID:2912 -
\??\c:\3htnnn.exec:\3htnnn.exe37⤵
- Executes dropped EXE
PID:2352 -
\??\c:\1dvpj.exec:\1dvpj.exe38⤵
- Executes dropped EXE
PID:2020 -
\??\c:\lxflrll.exec:\lxflrll.exe39⤵
- Executes dropped EXE
PID:2724 -
\??\c:\rlrxllr.exec:\rlrxllr.exe40⤵
- Executes dropped EXE
PID:2824 -
\??\c:\jjpjj.exec:\jjpjj.exe41⤵
- Executes dropped EXE
PID:2408 -
\??\c:\vvpdj.exec:\vvpdj.exe42⤵
- Executes dropped EXE
PID:2748 -
\??\c:\lfrfllr.exec:\lfrfllr.exe43⤵
- Executes dropped EXE
PID:2704 -
\??\c:\xllrflx.exec:\xllrflx.exe44⤵
- Executes dropped EXE
PID:2812 -
\??\c:\btbbnn.exec:\btbbnn.exe45⤵
- Executes dropped EXE
PID:2732 -
\??\c:\ddddv.exec:\ddddv.exe46⤵
- Executes dropped EXE
PID:2652 -
\??\c:\xxxflrr.exec:\xxxflrr.exe47⤵
- Executes dropped EXE
PID:2640 -
\??\c:\lfrlxfl.exec:\lfrlxfl.exe48⤵
- Executes dropped EXE
PID:2304 -
\??\c:\3nhhhn.exec:\3nhhhn.exe49⤵
- Executes dropped EXE
PID:3052 -
\??\c:\jvddp.exec:\jvddp.exe50⤵
- Executes dropped EXE
PID:1864 -
\??\c:\rlxlflx.exec:\rlxlflx.exe51⤵
- Executes dropped EXE
PID:860 -
\??\c:\lflfxfx.exec:\lflfxfx.exe52⤵
- Executes dropped EXE
PID:840 -
\??\c:\bhbnbn.exec:\bhbnbn.exe53⤵
- Executes dropped EXE
PID:2904 -
\??\c:\ddpjp.exec:\ddpjp.exe54⤵
- Executes dropped EXE
PID:2036 -
\??\c:\5rllxxl.exec:\5rllxxl.exe55⤵
- Executes dropped EXE
PID:1936 -
\??\c:\rflrlrf.exec:\rflrlrf.exe56⤵
- Executes dropped EXE
PID:2636 -
\??\c:\tbttnh.exec:\tbttnh.exe57⤵
- Executes dropped EXE
PID:2252 -
\??\c:\pjdjp.exec:\pjdjp.exe58⤵
- Executes dropped EXE
PID:2152 -
\??\c:\pjvjv.exec:\pjvjv.exe59⤵
- Executes dropped EXE
PID:2052 -
\??\c:\1rllxfr.exec:\1rllxfr.exe60⤵
- Executes dropped EXE
PID:2556 -
\??\c:\nhbnbh.exec:\nhbnbh.exe61⤵
- Executes dropped EXE
PID:2124 -
\??\c:\hntntt.exec:\hntntt.exe62⤵
- Executes dropped EXE
PID:352 -
\??\c:\1jvpj.exec:\1jvpj.exe63⤵
- Executes dropped EXE
PID:2080 -
\??\c:\rlfxrll.exec:\rlfxrll.exe64⤵
- Executes dropped EXE
PID:284 -
\??\c:\rxxxflx.exec:\rxxxflx.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1748 -
\??\c:\tnhnnn.exec:\tnhnnn.exe66⤵PID:616
-
\??\c:\9vddj.exec:\9vddj.exe67⤵PID:888
-
\??\c:\3dvjv.exec:\3dvjv.exe68⤵PID:2424
-
\??\c:\ffrlxlf.exec:\ffrlxlf.exe69⤵PID:2564
-
\??\c:\tnhnbt.exec:\tnhnbt.exe70⤵PID:316
-
\??\c:\hhhthn.exec:\hhhthn.exe71⤵PID:2532
-
\??\c:\vvjpd.exec:\vvjpd.exe72⤵PID:884
-
\??\c:\5pjdj.exec:\5pjdj.exe73⤵PID:2484
-
\??\c:\lfxfrlr.exec:\lfxfrlr.exe74⤵PID:3008
-
\??\c:\xffllrf.exec:\xffllrf.exe75⤵PID:596
-
\??\c:\ntnnht.exec:\ntnnht.exe76⤵PID:2264
-
\??\c:\hhbhnn.exec:\hhbhnn.exe77⤵PID:2548
-
\??\c:\dddvp.exec:\dddvp.exe78⤵PID:1648
-
\??\c:\rrrfrrf.exec:\rrrfrrf.exe79⤵PID:1668
-
\??\c:\1fxfflx.exec:\1fxfflx.exe80⤵PID:2292
-
\??\c:\7btttt.exec:\7btttt.exe81⤵PID:2804
-
\??\c:\nnbbhb.exec:\nnbbhb.exe82⤵PID:2744
-
\??\c:\9jjjd.exec:\9jjjd.exe83⤵PID:2944
-
\??\c:\ddpjd.exec:\ddpjd.exe84⤵PID:2604
-
\??\c:\xfxllrr.exec:\xfxllrr.exe85⤵PID:2712
-
\??\c:\9lffrrf.exec:\9lffrrf.exe86⤵PID:2832
-
\??\c:\bbbnnt.exec:\bbbnnt.exe87⤵PID:2768
-
\??\c:\pvjpv.exec:\pvjpv.exe88⤵PID:2608
-
\??\c:\vddpv.exec:\vddpv.exe89⤵PID:2644
-
\??\c:\flrfrrx.exec:\flrfrrx.exe90⤵PID:2640
-
\??\c:\tnttbh.exec:\tnttbh.exe91⤵PID:1712
-
\??\c:\nnbbnt.exec:\nnbbnt.exe92⤵PID:3052
-
\??\c:\9ppvj.exec:\9ppvj.exe93⤵PID:868
-
\??\c:\pvjpd.exec:\pvjpd.exe94⤵PID:2664
-
\??\c:\1lfxffl.exec:\1lfxffl.exe95⤵PID:1596
-
\??\c:\hthhtb.exec:\hthhtb.exe96⤵PID:1820
-
\??\c:\tnbhhh.exec:\tnbhhh.exe97⤵PID:1308
-
\??\c:\dvvvd.exec:\dvvvd.exe98⤵PID:1936
-
\??\c:\lrlfflf.exec:\lrlfflf.exe99⤵PID:2636
-
\??\c:\9nbtbb.exec:\9nbtbb.exe100⤵PID:2144
-
\??\c:\7dvvv.exec:\7dvvv.exe101⤵PID:2220
-
\??\c:\ppdjp.exec:\ppdjp.exe102⤵PID:2396
-
\??\c:\xlrrffl.exec:\xlrrffl.exe103⤵PID:1016
-
\??\c:\fflxlxr.exec:\fflxlxr.exe104⤵PID:1536
-
\??\c:\9flfrrl.exec:\9flfrrl.exe105⤵PID:2108
-
\??\c:\tnbbnh.exec:\tnbbnh.exe106⤵PID:1944
-
\??\c:\djjdd.exec:\djjdd.exe107⤵PID:548
-
\??\c:\lfrxrxl.exec:\lfrxrxl.exe108⤵PID:2004
-
\??\c:\tntnnb.exec:\tntnnb.exe109⤵PID:908
-
\??\c:\btntbb.exec:\btntbb.exe110⤵PID:1784
-
\??\c:\jjvjv.exec:\jjvjv.exe111⤵PID:1800
-
\??\c:\frxflrx.exec:\frxflrx.exe112⤵PID:2564
-
\??\c:\5lxrlxf.exec:\5lxrlxf.exe113⤵PID:592
-
\??\c:\hthbnt.exec:\hthbnt.exe114⤵PID:1396
-
\??\c:\3jddd.exec:\3jddd.exe115⤵PID:884
-
\??\c:\7pjpv.exec:\7pjpv.exe116⤵PID:332
-
\??\c:\fxrxlxx.exec:\fxrxlxx.exe117⤵PID:816
-
\??\c:\5btttb.exec:\5btttb.exe118⤵PID:1984
-
\??\c:\hnbnnb.exec:\hnbnnb.exe119⤵PID:2140
-
\??\c:\3pjvj.exec:\3pjvj.exe120⤵PID:1584
-
\??\c:\7rflrrf.exec:\7rflrrf.exe121⤵PID:2808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-