Malware Analysis Report

2025-01-02 05:34

Sample ID 240928-ghyq6szdqq
Target fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118
SHA256 775e884c62bdb526eb6a26abdd14221782ada4ba4a572741a78757d981e997dc
Tags
njrat redline sectoprat fivemmm hacked discovery evasion infostealer persistence privilege_escalation rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

775e884c62bdb526eb6a26abdd14221782ada4ba4a572741a78757d981e997dc

Threat Level: Known bad

The file fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

njrat redline sectoprat fivemmm hacked discovery evasion infostealer persistence privilege_escalation rat trojan

SectopRAT payload

njRAT/Bladabindi

RedLine payload

SectopRAT

RedLine

Modifies Windows Firewall

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-28 05:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-28 05:48

Reported

2024-09-28 05:51

Platform

win7-20240903-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\83e01e55971481266f4aa1ab6ece4b17 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\css.exe\" .." C:\Users\Admin\AppData\Local\Temp\css.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\83e01e55971481266f4aa1ab6ece4b17 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\css.exe\" .." C:\Users\Admin\AppData\Local\Temp\css.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3028 set thread context of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\css.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 2376 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 2376 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 2376 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 2376 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2376 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2376 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2376 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2284 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\css.exe
PID 2284 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\css.exe
PID 2284 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\css.exe
PID 2284 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\css.exe
PID 2908 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\css.exe C:\Windows\SysWOW64\netsh.exe
PID 2908 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\css.exe C:\Windows\SysWOW64\netsh.exe
PID 2908 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\css.exe C:\Windows\SysWOW64\netsh.exe
PID 2908 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\css.exe C:\Windows\SysWOW64\netsh.exe
PID 3028 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3028 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3028 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3028 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3028 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3028 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3028 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3028 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3028 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Users\Admin\AppData\Local\Temp\css.exe

"C:\Users\Admin\AppData\Local\Temp\css.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\css.exe" "css.exe" ENABLE

C:\Users\Admin\AppData\Local\Temp\1.exe

C:\Users\Admin\AppData\Local\Temp\1.exe

Network

Country Destination Domain Proto
RU 185.215.113.55:36801 tcp
US 8.8.8.8:53 lptrojan.duckdns.org udp
US 23.237.25.58:1177 lptrojan.duckdns.org tcp
RU 185.215.113.55:36801 tcp
US 23.237.25.58:1177 lptrojan.duckdns.org tcp
RU 185.215.113.55:36801 tcp
US 23.237.25.58:1177 lptrojan.duckdns.org tcp
RU 185.215.113.55:36801 tcp
US 8.8.8.8:53 lptrojan.duckdns.org udp
US 23.237.25.58:1177 lptrojan.duckdns.org tcp
RU 185.215.113.55:36801 tcp
US 23.237.25.58:1177 lptrojan.duckdns.org tcp
RU 185.215.113.55:36801 tcp
US 23.237.25.58:1177 lptrojan.duckdns.org tcp
RU 185.215.113.55:36801 tcp

Files

\Users\Admin\AppData\Local\Temp\1.exe

MD5 524cf73258298aea3f30b4fc69fe8133
SHA1 e3aee9709dd93b56d7ac07cae1cc17892406f711
SHA256 c08cd89bc38d96922bc6c900afd041de7b55d6cec276cc5c7a79eb1869f2b1e5
SHA512 0fbd32bbe4f63b8ef0b78c7d28bcfc1e2c6fd8054a56f42b2bbf396a818f70d2c4e3c18caf5758affb8aff134a28be18fc6a863e4f03bc2dc2fc6275f8dd1179

C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5 c69f5c53bbd00f5d124cdfc040313adc
SHA1 9c60bbc168a25d7179022b696b6f8eda6df6f54a
SHA256 dac36b2a874ef4894c59374759dc454bc3c85d1a1f9321798168195390111857
SHA512 a7f8fac7b4a76db0f4b7af0f3b2fc5af9d096af6fac4a0fa299a8c164c846b4190bfce83e38801f70ee6fc990d88cfd111afedcbcdfe278e78387ea8df5b80ed

memory/2284-32-0x0000000074131000-0x0000000074132000-memory.dmp

memory/2284-34-0x0000000074130000-0x00000000746DB000-memory.dmp

memory/2284-35-0x0000000074130000-0x00000000746DB000-memory.dmp

memory/3028-36-0x0000000000AB0000-0x0000000000B22000-memory.dmp

memory/2284-44-0x0000000074130000-0x00000000746DB000-memory.dmp

memory/2604-46-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2604-58-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2604-57-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2604-55-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2604-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2604-52-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2604-50-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2604-48-0x0000000000400000-0x0000000000422000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-28 05:48

Reported

2024-09-28 05:51

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\83e01e55971481266f4aa1ab6ece4b17 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\css.exe\" .." C:\Users\Admin\AppData\Local\Temp\css.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\83e01e55971481266f4aa1ab6ece4b17 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\css.exe\" .." C:\Users\Admin\AppData\Local\Temp\css.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4980 set thread context of 4632 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\css.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\css.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1268 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1268 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1268 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1268 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 1268 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 1268 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 4872 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\css.exe
PID 4872 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\css.exe
PID 4872 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\css.exe
PID 4420 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\css.exe C:\Windows\SysWOW64\netsh.exe
PID 4420 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\css.exe C:\Windows\SysWOW64\netsh.exe
PID 4420 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\css.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 4980 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 4980 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 4980 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 4980 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 4980 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 4980 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 4980 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Users\Admin\AppData\Local\Temp\css.exe

"C:\Users\Admin\AppData\Local\Temp\css.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\css.exe" "css.exe" ENABLE

C:\Users\Admin\AppData\Local\Temp\1.exe

C:\Users\Admin\AppData\Local\Temp\1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.55:36801 tcp
US 8.8.8.8:53 lptrojan.duckdns.org udp
US 23.237.25.58:1177 lptrojan.duckdns.org tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 185.215.113.55:36801 tcp
US 23.237.25.58:1177 lptrojan.duckdns.org tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 185.215.113.55:36801 tcp
US 23.237.25.58:1177 lptrojan.duckdns.org tcp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
RU 185.215.113.55:36801 tcp
US 8.8.8.8:53 lptrojan.duckdns.org udp
US 23.237.25.58:1177 lptrojan.duckdns.org tcp
RU 185.215.113.55:36801 tcp
US 23.237.25.58:1177 lptrojan.duckdns.org tcp
RU 185.215.113.55:36801 tcp
US 23.237.25.58:1177 lptrojan.duckdns.org tcp
RU 185.215.113.55:36801 tcp

Files

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 524cf73258298aea3f30b4fc69fe8133
SHA1 e3aee9709dd93b56d7ac07cae1cc17892406f711
SHA256 c08cd89bc38d96922bc6c900afd041de7b55d6cec276cc5c7a79eb1869f2b1e5
SHA512 0fbd32bbe4f63b8ef0b78c7d28bcfc1e2c6fd8054a56f42b2bbf396a818f70d2c4e3c18caf5758affb8aff134a28be18fc6a863e4f03bc2dc2fc6275f8dd1179

C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5 c69f5c53bbd00f5d124cdfc040313adc
SHA1 9c60bbc168a25d7179022b696b6f8eda6df6f54a
SHA256 dac36b2a874ef4894c59374759dc454bc3c85d1a1f9321798168195390111857
SHA512 a7f8fac7b4a76db0f4b7af0f3b2fc5af9d096af6fac4a0fa299a8c164c846b4190bfce83e38801f70ee6fc990d88cfd111afedcbcdfe278e78387ea8df5b80ed

memory/4872-20-0x0000000074992000-0x0000000074993000-memory.dmp

memory/4872-22-0x0000000074990000-0x0000000074F41000-memory.dmp

memory/4872-23-0x0000000074990000-0x0000000074F41000-memory.dmp

memory/4980-24-0x0000000073BDE000-0x0000000073BDF000-memory.dmp

memory/4980-25-0x0000000000D60000-0x0000000000DD2000-memory.dmp

memory/4980-33-0x00000000055F0000-0x0000000005666000-memory.dmp

memory/4872-36-0x0000000074990000-0x0000000074F41000-memory.dmp

memory/4980-37-0x00000000055C0000-0x00000000055DE000-memory.dmp

memory/4980-38-0x0000000005CF0000-0x0000000006294000-memory.dmp

memory/4632-39-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/4632-44-0x0000000005140000-0x0000000005152000-memory.dmp

memory/4632-43-0x00000000056E0000-0x0000000005CF8000-memory.dmp

memory/4632-45-0x0000000005270000-0x000000000537A000-memory.dmp

memory/4632-46-0x00000000051E0000-0x000000000521C000-memory.dmp

memory/4632-47-0x0000000005180000-0x00000000051CC000-memory.dmp