Malware Analysis Report

2025-08-11 07:42

Sample ID 241003-vje74swepp
Target 0fbf6aebb7abe0cf6397511870b68341_JaffaCakes118
SHA256 b2f2278e08e7948fdadb10567269e42b9afe2922e650d5e5bee2990432386370
Tags
discovery upx ramnit banker spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b2f2278e08e7948fdadb10567269e42b9afe2922e650d5e5bee2990432386370

Threat Level: Known bad

The file 0fbf6aebb7abe0cf6397511870b68341_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery upx ramnit banker spyware stealer trojan worm

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-03 17:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-03 17:00

Reported

2024-10-03 17:03

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fbf6aebb7abe0cf6397511870b68341_JaffaCakes118.dll,#1

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32mgr.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32mgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 180 wrote to memory of 3392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 180 wrote to memory of 3392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 180 wrote to memory of 3392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3392 wrote to memory of 4164 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 3392 wrote to memory of 4164 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 3392 wrote to memory of 4164 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fbf6aebb7abe0cf6397511870b68341_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fbf6aebb7abe0cf6397511870b68341_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4164 -ip 4164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 264

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 147.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3392-0-0x0000000074FE0000-0x0000000075024000-memory.dmp

C:\Windows\SysWOW64\rundll32mgr.exe

MD5 1713dcea0892955ae4ad238bf4b9a34d
SHA1 172c10720153e717402654f97ad56516f43705bf
SHA256 e4cbc03a8bea10728e756b7187435b3675af2d45ace12e6b6641e44b25d54b23
SHA512 e0a0a1ec9e9380bcc1692016dcadb6b794ef13e3a49b9709799c8b281401cd0faa0b63b0aa0fa750820cdec674f7c6e02e259e66cf843975fcbd49e9c1be021c

memory/4164-4-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4164-6-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/4164-7-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-03 17:00

Reported

2024-10-03 17:03

Platform

win7-20240903-en

Max time kernel

133s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fbf6aebb7abe0cf6397511870b68341_JaffaCakes118.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32mgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D5FB941-81A9-11EF-846E-46BBF83CD43C} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D5D57E1-81A9-11EF-846E-46BBF83CD43C} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434136722" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2080 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2080 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2080 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2080 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2696 wrote to memory of 2688 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2688 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2688 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2688 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2672 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2672 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2672 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2672 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2688 wrote to memory of 1056 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2688 wrote to memory of 1056 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2688 wrote to memory of 1056 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2688 wrote to memory of 1056 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2548 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2548 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2548 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2548 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fbf6aebb7abe0cf6397511870b68341_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fbf6aebb7abe0cf6397511870b68341_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2688 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2080-1-0x0000000074A00000-0x0000000074A44000-memory.dmp

\Windows\SysWOW64\rundll32mgr.exe

MD5 1713dcea0892955ae4ad238bf4b9a34d
SHA1 172c10720153e717402654f97ad56516f43705bf
SHA256 e4cbc03a8bea10728e756b7187435b3675af2d45ace12e6b6641e44b25d54b23
SHA512 e0a0a1ec9e9380bcc1692016dcadb6b794ef13e3a49b9709799c8b281401cd0faa0b63b0aa0fa750820cdec674f7c6e02e259e66cf843975fcbd49e9c1be021c

memory/2080-2-0x0000000074A20000-0x0000000074A64000-memory.dmp

memory/2696-13-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2080-11-0x0000000000700000-0x000000000075B000-memory.dmp

memory/2080-10-0x0000000074A00000-0x0000000074A44000-memory.dmp

memory/2080-9-0x00000000749D0000-0x0000000074A14000-memory.dmp

memory/2696-14-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2080-15-0x0000000000700000-0x000000000075B000-memory.dmp

memory/2696-18-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2696-16-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2696-17-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2696-19-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2696-20-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0D5D57E1-81A9-11EF-846E-46BBF83CD43C}.dat

MD5 0ea7f9439bccad284264d0fbc6cb6b94
SHA1 36ecdbe89afd864212f73672870a168435025337
SHA256 3b54081a0233e835db490c4431363ff50abdd47b64499b22b65925ebeef8ae0f
SHA512 7fe8eccfd5d62a98503ee8192ca13352d4f4e71b4d2dd952edd9b9c16f506cec1d869e8e783974dc740bac8de816a7840f530dfcd43480d2e7512385a23876c4

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0D5FB941-81A9-11EF-846E-46BBF83CD43C}.dat

MD5 2e9b818441aac3c64545cbc237aff351
SHA1 a05bfc442bda12c3d1db995f49e208f38f47f282
SHA256 e82195188b0ad494f006328e0284ded1da6f5a54dd599af200a50e369e40ed1b
SHA512 a08df7d564badd4a649581251e8ad28068f1b759ab3a33a4783284f31c10c2ec8946c182d8deba41b4b5d88eb1de36577cf74bda91e3a870f57f8de8dd0e67d8

memory/2696-23-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab253F.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar25CF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 868d278cd59c30404a7aec1523b61e42
SHA1 63634f75f1070439c853e7b30de9056c69fbfd57
SHA256 4503402354f1d9aa9e58d9d0aa789bf7fd9799c717a806d947e5e4acc21ff74e
SHA512 aea4fe2fbf17f57224078101d78f548ad6754b9fb9bb46de03ce2af572b5917e3088ec36b9b8a00ee59cb652b1abe2043b7c2e679f43fd8e9da50d2ef5c5181f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ee7fce5d04aeb70ec7ac289fe8fc740
SHA1 b2ab06d334ff9a9fb6ce1a3b79f5d06dfeccbb74
SHA256 91f07dad2b49179b6018889d9c523b46595613964662d57770958f340f5af6d7
SHA512 81bf84e74950fa522c12205ffcd6dfe34274cadd9c0591afffbab87350bc1fc9c028f05bb1d955abe8042ab672d14d895b31b2f7d7b1da9b66fee7797e5d8c8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d774856207913b8610616e239829e7b
SHA1 cde6900caa24f688edee457e044a14153f507cef
SHA256 3771fa7d61ca669f2faabe1784e1663061f1b14984dce864fb8c9cc7923f802c
SHA512 ff00488a586419c69e84f1391160d7086d6f329a89bcd71d5e5014fb773fbfc08cd9dc9e7ad0758aef1852e8ebd0acd5894a864d584388a2280ffca6605ddcda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1b0349afeaf57cd638f77f92e5b12b6
SHA1 a01d0d829b021f15a709078088fb2d664dab14a2
SHA256 e76b0d0c24d69b1f1bb7e5047ee0fb586a2f51c7a70d99ebd94f2d2b6b124523
SHA512 b84921a9825544e8073533fcc85e5f3f0158f71d1bec5c5a5a5ceeb399aea4e136c841b871a1f23535b319f9c2ce95670c7e1eb738f7bb85fdefa7b9d14c09f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9f486e4160e3fc8967c8d6d300ccb06
SHA1 32a86d7044dbb5865d0a1ea341a3b5c2e2e50f5d
SHA256 033a44e9f239903143511f5a5e30208135cf3bafff7d453ac230c7fd2b736baa
SHA512 abec50aba7e672d494fef2d115642652844f4b31bc4877a738a47d48ab03a717a44f588da0e2b2ec5c1b8570e7c8c43ce074bb886fcdcbc8d403e3d58a51f796

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a108d63bc312ec8674986e7431cf383
SHA1 da04c698db44efa86ba4e85b4e1230ce6c056c31
SHA256 c65ebea509b9d0401d216b1e6bbe7800e86343bf77549b0e985a1b87c153b792
SHA512 be6a4eda04fefaa8d3c40d306df3a13313207355ffe03c43c0c7d150dacac65776f4d7a9d8029999bf8343986996fea296dd6dbabe39acff9b60a3b5a0bc1be4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f1a67b8990b55e6fa10a3667d7beec1
SHA1 95481e3cb7a323e548bf727de79b3eeb6642650e
SHA256 f40fa4fa29b09d5aa934c9305da9ba78ce1f341b506e67c1e8a9c5725287e358
SHA512 7b5984b5c981a0136a7e9055abd077b8d4408c3f47e72d3d0c7a16ea5c2c6a4245d13babec3715ddc88b79609be775412c0618e3ef2d97173cf4b88dea7e6930

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d875baaca08e268821cd6e2961a511e9
SHA1 d32289978c7ebf6b65f088433a9c8e625213a6af
SHA256 de1935c0666759bece01103473083e4f05d2dfafd9bbf9bb847d2945c1ac9359
SHA512 eb8b41caa0979837e2a78ddc97ae53a46101878143b1e9a438ac78b2b90845209a1feb65ba5bcd31f3925a3e13df37e420aabf0cb555491dad477c61d6340e9f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1038a8e6b279f70121538ddb5ca62b1
SHA1 808922c4a596afb49b78825638c11fe6b847b6a2
SHA256 000a1bb2496d1e6ce8700a85ce285647ba1099728432afd094e332fb57f6e860
SHA512 85ac8fc944c1e5b1775e29f22d1690ddbeadd6326c64512c8a0338901ecf0aa1369f5b9ba963a323efcce3fc57ed0b17925171c04b1637b3cd5daf77a62133f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 855873b7a985a97a141e25fc6b757e25
SHA1 c40a6044bf1ae82c59bba31938b5920b48c2f341
SHA256 191d6376a337396e9ca79f4ba318a75c04fc289ec230864d91cd4a9ccb407259
SHA512 cb0d6f7d873cdd1c0268a227519b1d06d1f89ac4077c95ecffee44d0f7029b341e901b03990f4b2d66e83a4cd2a047748c75effe50915338127a3187f5948f05

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 181b08c81536c069806f5078a4e31129
SHA1 9e5985b55fc4e037cc6799d1a2cea414d8c6cfbb
SHA256 c9c42466a21a34a4a553f0ea27f612b72fd1ea7f50d9b07b4b9b28f654ccc6a8
SHA512 edfb57d0292616a091456e73400e5ee60ceedcd6cf6fa7336a630b311fa424a40f0c3a226f1d3888c82fa1a0b5eb4866b3c8d668bb306847b3cd0e142cd3719c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb1df31d104d2ff16ce41cc16e40cf75
SHA1 2135ebb996644ef0fc9434c6fd62590c48262631
SHA256 b748b04c5d9d9bbd6d590979842d74e9a4b57fdc6169a22d4706e4674b6fd667
SHA512 49eb431fa8997bbc5f8a89976cf4a0571e20d2c6689ada2ed42770704c3309a655719362d293f457c0bd504c8a6b16c61b6ac476e286c959aa89f9fb5786e131

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3ee9f543fa9b58c0d689a5dffec8210
SHA1 0f4247a55b8525ca6cd54abc68d3ac0d6244e4b8
SHA256 6d94c2951b1ad1943617c57a0e2875349567c470ab59c8cd4689bd009bd3fe72
SHA512 9bdda7e279c40c4b68da9900b945c3bb79fe143ecf02e159ea3163efe204373e297292179a1c0fa663d6137df13a5a4526fd0b40539918cd256fd813ff26ffd2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d9c2160a351ae1822af7dd7d9683e18
SHA1 de6ee383bb9ce66fcc1f27c559025a03ee010bef
SHA256 32f32cc53542f5d6aed2f2f825024471d16cfa2080ba623702af9975af830f9f
SHA512 f827394d74fcef725edf67c017f7916317c973b18339f666ca3c07ac9227f7b286d14478b0e95165fac5ffa7cf0034e046112eae89f1f5489ba10ec875c033ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36d4f43d6614ef7e95e535a19dbd33c9
SHA1 b0034a03939b827effaf500038c7be458f91b11c
SHA256 1b8c3cbd6d93a7baf6d661b69fb21bc3c9ea1be2f67f64ae2535b5206d907337
SHA512 c5f15b816fd6a431812c83d9ea8aed3ea9200bb57c727f8098d9c81168da2306c3e60e90f28a5a2715553f313655553f8e8b11845b872a16ab02484c302ff5ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac8312f1a35b3748d85b293602728a14
SHA1 cf2b12f5226f9a6d237f88b8bb55f8a88fc04ec6
SHA256 02f54086771fdeb66c8dbfda978288fbd700383a7df86731970381525ed89c9f
SHA512 909eb1df2e04c05b561bd80db0b36fde29dc5fbe7ce59462e35b773f58b83f60eaeaef07a225466e18edf26fb9710697573e18e70149914be9395778a9b025d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b38e6ad741c2636e167bd6d57d588df3
SHA1 978691fe95cc281c45db2c5c5629a63f4f711b25
SHA256 d2cb1fa6b1ac3c1b916a2886e3104b0e1a1c042a64aeee69b7c684c2a46fe305
SHA512 011673878a676b53658c9f675c75003a5d5b4eaf63751d6486e8726d99773bee248da6990cb80fd257d60cd2a6674ca1eaf83b4afc5c3e6e84f74057f629f56f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab32c52f650de65d1f798535d02581bc
SHA1 560ff62490b04611d62856941ece4f6221855fef
SHA256 5845fe10fa2daa884e507924876e3780b4985b7577ca00b44914ac2407453697
SHA512 54e05b1b955e0532b6c19f0bd4fdce803291937b0aec7f2769e7098bc6ea4491a15dc74790e02aff24686c09059dd589f5f7000191ed8a27f11b4fb412b5dc65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8533753f57e87bf5f84c2989826ee620
SHA1 7e7f009c405a92da50f997f3a63bb71c178110d4
SHA256 bed12e13208716643acf722de66696e6a086e8cd5a048018f1cb5bc4f6c07c79
SHA512 e42cc885241bc1564ca71f2af8947c560523cc15607da4c254d7a1bf5365b1e36743c721aaa65853a53071dd500f7929b282fab3ac6e0451d8d84735b17ea2fd