Malware Analysis Report

2025-03-15 00:34

Sample ID 240928-mp1f8stdrf
Target fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118
SHA256 d90caba2afccdde55362caf4ba52e8a40f75b9ded6d0fd421f467486c27d44ce
Tags
mydoom discovery worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d90caba2afccdde55362caf4ba52e8a40f75b9ded6d0fd421f467486c27d44ce

Threat Level: Known bad

The file fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

mydoom discovery worm

Detects MyDoom family

MyDoom

Suspicious use of SetThreadContext

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-28 10:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-28 10:39

Reported

2024-09-28 10:41

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Drops file in Program Files directory

Description Indicator Process Target
File created C:\program files\kazaa\my shared folder\Windows 2003 Advanced Server KeyGen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Email Spider.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa\my shared folder\DivX 5.0 Pro KeyGen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite\my shared folder\Microsoft Visual Basic KeyGen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite k++\my shared folder\Download Boost 2.0.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Microsoft Visual C++ KeyGen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\AOL Password Cracker.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Youtube Music Downloader 1.0.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Ashampoo PowerUp v3.10.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Acker DVD Ripper 2008.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite k++\my shared folder\Icepack IDT Gold edition 2008 LEAKED.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Canvas Security Framework 2008 LiMiTeD with 50 0day.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\VmWare ESX GSX server keygen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Error Doctor 2008.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite k++\my shared folder\Hotmail spammer bot.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\BitDefender AntiVirus 2008 Keygen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\Adobe Soundbooth CS3.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Boilsoft DVD Ripper 2.82.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\VmWare keygen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa\my shared folder\Adobe Soundbooth CS3.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite\my shared folder\VmWare ESX GSX server keygen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Microsoft Visual Basic KeyGen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Ashampoo PowerUp v3.10.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\TCN ISO cable modem hacking tools.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\Super Utilities Pro 2008 8.0.1980.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Acker DVD Ripper 2008.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Shadow Security Scanner 10 Gold.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Hotmail account bruteforcer bot.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\CleanMyPC Registry Cleaner v4.02.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa\my shared folder\Canvas Security Framework 2008 LiMiTeD with 50 0day.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite k++\my shared folder\YZdock Machintos osX like toolbar for windows.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\Tarantula Full version CRACKED by RaZoR.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\TCN ISO SigmaX2 firmware.bin.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\Microsoft Visual Studio KeyGen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Adobe Acrobat Reader keygen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Email Spider.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Daemon Tools Pro 4.10.218.0.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\Microsoft Visual C++ KeyGen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Norton Anti-Virus 2008 Enterprise Crack.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Icepack IDT Gold edition 2008 LEAKED.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\PC Secuity Tweaker 7.6.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa\my shared folder\Password Cracker.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa\my shared folder\Adobe Acrobat Reader keygen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite\my shared folder\Shadow Security Scanner 10 Gold.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\Youtube Music Downloader 1.0.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\YZdock Machintos osX like toolbar for windows.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Daemon Tools Pro 4.10.218.0.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Download Boost 2.0.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa\my shared folder\Daemon Tools Pro 4.10.218.0.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Error Doctor 2008.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite\my shared folder\Windows 2003 Advanced Server KeyGen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\DivX 5.0 Pro KeyGen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\CleanMyPC Registry Cleaner v4.02.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Mirc Keygen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\Shadow Security Scanner 10 Gold.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite\my shared folder\VmWare keygen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\Hotmail spammer bot.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\ProRat 2.0 Special Edition.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\SuperRam 5.1.28.2008.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa\my shared folder\CleanMyPC Registry Cleaner v4.02.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite\my shared folder\YZdock Machintos osX like toolbar for windows.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite k++\my shared folder\Boilsoft DVD Ripper 2.82.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Youtube Music Downloader 1.0.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\AOL Password Cracker.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe
PID 2676 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe
PID 2676 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe
PID 2676 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe
PID 2676 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe
PID 2676 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe

C:\Windows\SysWOW64\notepad.exe

notepad C:\Users\Admin\AppData\Local\Temp\Message

Network

N/A

Files

memory/2696-0-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2696-4-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2696-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2696-6-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2696-7-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2868-8-0x00000000004A0000-0x00000000004AA000-memory.dmp

memory/2868-16-0x00000000004A0000-0x00000000004AA000-memory.dmp

memory/2868-15-0x00000000004A0000-0x00000000004AA000-memory.dmp

memory/2676-13-0x0000000040000000-0x0000000040024000-memory.dmp

memory/2868-12-0x00000000004A0000-0x00000000004AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Message

MD5 fc0a33038279301d963880966d5365c8
SHA1 bd4d017ff0f748a21ca170689d1ff26f7e51d8eb
SHA256 f90536fdb1adffefbe6cf596e99bbca70822aa0cbcce3aa6de790a8355a5221d
SHA512 4766794c0c2a28a0007439324c6a942549b69a9a6e9877e8e7304222b93256149d5ee43276912da0526c6f53b73f76680d88064b4d2a5a89ebf6399381cab6e0

memory/2868-19-0x00000000004A0000-0x00000000004AA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-28 10:39

Reported

2024-09-28 10:41

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Drops file in Program Files directory

Description Indicator Process Target
File created C:\program files\grokster\my grokster\SuperRam 5.1.28.2008.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Absolute Video Converter 3.07.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Email Spider.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Super Utilities Pro 2008 8.0.1980.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa\my shared folder\Acker DVD Ripper 2008.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite k++\my shared folder\ProRat 2.0 Special Edition.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\TCN ISO cable modem hacking tools.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite\my shared folder\TCN ISO cable modem hacking tools.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite\my shared folder\SuperRam 5.1.28.2008.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\TCN ISO cable modem hacking tools.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite\my shared folder\CleanMyPC Registry Cleaner v4.02.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Ashampoo PowerUp v3.10.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa\my shared folder\Anti-Trojan Elite v4.01.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite\my shared folder\Adobe Acrobat Reader keygen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Email Spider.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Super Utilities Pro 2008 8.0.1980.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Microsoft Visual C++ KeyGen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Adobe Acrobat Reader keygen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\AOL Password Cracker.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\TCN ISO SigmaX2 firmware.bin.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\Adobe Soundbooth CS3.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\CleanMyPC Registry Cleaner v4.02.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite\my shared folder\AOL Password Cracker.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\AOL Password Cracker.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\Download Boost 2.0.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite\my shared folder\Download Boost 2.0.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Youtube Music Downloader 1.0.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\AOL Password Cracker.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa\my shared folder\Adobe Soundbooth CS3.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Error Doctor 2008.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Password Cracker.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Microsoft Visual Basic KeyGen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\Canvas Security Framework 2008 LiMiTeD with 50 0day.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\BitDefender AntiVirus 2008 Keygen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\Acker DVD Ripper 2008.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa\my shared folder\Youtube Music Downloader 1.0.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Microsoft Visual Basic KeyGen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\CleanMyPC Registry Cleaner v4.02.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\VmWare ESX GSX server keygen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\CleanMyPC Registry Cleaner v4.02.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\DivX 5.0 Pro KeyGen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\ProRat 2.0 Special Edition.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa\my shared folder\VmWare keygen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa\my shared folder\Absolute Video Converter 3.07.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite k++\my shared folder\Hotmail spammer bot.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Wow Glider incl serial.SFX.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Adobe Soundbooth CS3.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\DivX 5.0 Pro KeyGen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Error Doctor 2008.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite\my shared folder\VMware Workstation 6 Windows keygen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\SuperRam 5.1.28.2008.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\YZdock Machintos osX like toolbar for windows.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\emule\incoming\Download Boost 2.0.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\morpheus\my shared folder\DivX 5.0 Pro KeyGen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\limewire\shared\Acker DVD Ripper 2008.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa\my shared folder\AOL Password Cracker.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite k++\my shared folder\Microsoft Visual C++ KeyGen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\Password Cracker.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\winmx\shared\Super Utilities Pro 2008 8.0.1980.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\icq\shared folder\Tarantula Full version CRACKED by RaZoR.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite k++\my shared folder\Mirc Keygen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\kazaa lite k++\my shared folder\CleanMyPC Registry Cleaner v4.02.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\grokster\my grokster\Shadow Security Scanner 10 Gold.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
File created C:\program files\tesla\files\Adobe Acrobat Reader keygen.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe
PID 2340 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe
PID 2340 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe
PID 2340 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe
PID 2340 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3204 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fc1e7eba45bb977d149d544c6502ed5b_JaffaCakes118.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2340 -ip 2340

C:\Windows\SysWOW64\notepad.exe

notepad C:\Users\Admin\AppData\Local\Temp\Message

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2340 -ip 2340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 456

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp

Files

memory/3204-0-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3204-2-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3204-3-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4556-4-0x00000000004A0000-0x00000000004AA000-memory.dmp

memory/4556-6-0x00000000004A0000-0x00000000004AA000-memory.dmp

memory/4556-8-0x00000000004A0000-0x00000000004AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Message

MD5 d83640e38f42f94ee7702483b6bf472f
SHA1 89b8c08e83124fa74f02e0695402d75c11f4612d
SHA256 22811ecea6680e50ff4adc1d313e852d1a20f75b94a375641cb46d0c7c000edf
SHA512 1ffe6dc292f6d6765e7318752833aa2452bc96d82ffa31a385e30a6578aae3ae5c0af7b249430d64b052f368abbd7605481bf22d035cb48bc11bdb1173658791

memory/2340-11-0x0000000040000000-0x0000000040024000-memory.dmp

memory/4556-12-0x00000000004A0000-0x00000000004AA000-memory.dmp