Analysis Overview
SHA256
3224d36db7a560fe8bedc982346e41c78c9704e00bf9085f0a3ef0b491710715
Threat Level: Known bad
The file 16cf1b5fdb75b32737e162897992e252_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Ramnit
UAC bypass
Checks computer location settings
Loads dropped DLL
Impair Defenses: Safe Mode Boot
Drops startup file
Executes dropped EXE
Checks BIOS information in registry
Adds Run key to start application
Program crash
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: LoadsDriver
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-05 07:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-05 07:51
Reported
2024-10-05 07:54
Platform
win7-20240903-en
Max time kernel
144s
Max time network
142s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\tgykyajt\\xbrydqmx.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
Ramnit
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xbrydqmx.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xbrydqmx.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qroulfrqyrwcfuls.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16cf1b5fdb75b32737e162897992e252_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16cf1b5fdb75b32737e162897992e252_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16cf1b5fdb75b32737e162897992e252_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16cf1b5fdb75b32737e162897992e252_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\XbrYdqmx = "C:\\Users\\Admin\\AppData\\Local\\tgykyajt\\xbrydqmx.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\16cf1b5fdb75b32737e162897992e252_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\16cf1b5fdb75b32737e162897992e252_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\16cf1b5fdb75b32737e162897992e252_JaffaCakes118.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\qroulfrqyrwcfuls.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\qroulfrqyrwcfuls.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\16cf1b5fdb75b32737e162897992e252_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\16cf1b5fdb75b32737e162897992e252_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Users\Admin\AppData\Local\Temp\qroulfrqyrwcfuls.exe
"C:\Users\Admin\AppData\Local\Temp\qroulfrqyrwcfuls.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.180.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | htmthgurhtchwlhwklf.com | udp |
| US | 162.249.65.200:443 | htmthgurhtchwlhwklf.com | tcp |
| US | 162.249.65.200:443 | htmthgurhtchwlhwklf.com | tcp |
| US | 8.8.8.8:53 | jiwucjyxjibyd.com | udp |
| US | 8.8.8.8:53 | khddwukkbwhfdiufhaj.com | udp |
| US | 8.8.8.8:53 | snoknwlgcwgaafbtqkt.com | udp |
| US | 8.8.8.8:53 | tfgyaoingy.com | udp |
| US | 8.8.8.8:53 | ukiixagdbdkd.com | udp |
| US | 8.8.8.8:53 | swbadolov.com | udp |
| US | 8.8.8.8:53 | ouljuvkvn.com | udp |
| US | 8.8.8.8:53 | tiqfgpaxvmhsxtk.com | udp |
| US | 8.8.8.8:53 | cxatodxefolgkokdqy.com | udp |
| DE | 46.165.220.143:443 | ukiixagdbdkd.com | tcp |
| US | 204.95.99.223:443 | snoknwlgcwgaafbtqkt.com | tcp |
| DE | 195.201.179.207:443 | tfgyaoingy.com | tcp |
| US | 199.59.243.227:443 | khddwukkbwhfdiufhaj.com | tcp |
| US | 8.8.8.8:53 | ubkfgwqslhqyy.com | udp |
| US | 8.8.8.8:53 | caytmlnlrou.com | udp |
| US | 8.8.8.8:53 | qbsqnpyyooh.com | udp |
| IE | 34.253.216.9:443 | ubkfgwqslhqyy.com | tcp |
| US | 8.8.8.8:53 | vrguyjjxorlyen.com | udp |
| US | 8.8.8.8:53 | nvepdnpx.com | udp |
| US | 8.8.8.8:53 | vwaeloyyutodtr.com | udp |
| US | 8.8.8.8:53 | gokbwlivwvgqlretxd.com | udp |
| US | 8.8.8.8:53 | mukevipvxvrq.com | udp |
| US | 8.8.8.8:53 | empsqyowjuvvsvrwj.com | udp |
| US | 8.8.8.8:53 | duomyvwabkuappgqxhp.com | udp |
| US | 8.8.8.8:53 | voohnyqdinl.com | udp |
| US | 8.8.8.8:53 | ncxphtrpiawmchfylsy.com | udp |
| US | 8.8.8.8:53 | xwrmquiqjdsxk.com | udp |
| US | 8.8.8.8:53 | ldiogjdyyxacm.com | udp |
| US | 8.8.8.8:53 | kuetvxnntsk.com | udp |
| US | 8.8.8.8:53 | lsawmyxqxvmogvxifm.com | udp |
| US | 8.8.8.8:53 | ppdbeidwufrb.com | udp |
| US | 8.8.8.8:53 | tfipmwkcgigiey.com | udp |
| US | 8.8.8.8:53 | pgahbyurf.com | udp |
| US | 8.8.8.8:53 | yaesbfejdxs.com | udp |
| US | 8.8.8.8:53 | yeokcogbbprvybwqn.com | udp |
| US | 8.8.8.8:53 | ocwbuffwnj.com | udp |
| US | 8.8.8.8:53 | pubecchfuxgquhguye.com | udp |
| US | 8.8.8.8:53 | cpugvsnhyrueqcyxnvo.com | udp |
| US | 8.8.8.8:53 | bxqqsoxw.com | udp |
| US | 8.8.8.8:53 | gvjkpsip.com | udp |
| US | 8.8.8.8:53 | garxfslj.com | udp |
| US | 8.8.8.8:53 | jpeobmbipilmwsc.com | udp |
| US | 8.8.8.8:53 | mfpgvhnjp.com | udp |
| US | 8.8.8.8:53 | sjolcaml.com | udp |
| US | 8.8.8.8:53 | spykqqdavslss.com | udp |
| US | 8.8.8.8:53 | hcegcnlr.com | udp |
| US | 8.8.8.8:53 | derdamdyvt.com | udp |
| US | 8.8.8.8:53 | hnywdakvhxvuoeuap.com | udp |
| US | 8.8.8.8:53 | fxamvtgx.com | udp |
| US | 8.8.8.8:53 | rxkcrxbkc.com | udp |
| US | 8.8.8.8:53 | wavmiijmnswdmbuhcn.com | udp |
| US | 8.8.8.8:53 | gylgunsiciis.com | udp |
| US | 8.8.8.8:53 | exvpgubuxrdvhijan.com | udp |
| US | 8.8.8.8:53 | mvorlnmwfkayjrqfni.com | udp |
| US | 8.8.8.8:53 | nhvfyugxtgrnk.com | udp |
| US | 8.8.8.8:53 | ktltiueyc.com | udp |
| US | 8.8.8.8:53 | ndtdktwnkplaavqsfa.com | udp |
| US | 8.8.8.8:53 | pvgnfjpvih.com | udp |
| US | 8.8.8.8:53 | ftmtkcjkomqdw.com | udp |
| US | 8.8.8.8:53 | shkxklmbrgcqoeh.com | udp |
| US | 8.8.8.8:53 | daxwkcompfufkvaa.com | udp |
| US | 8.8.8.8:53 | ttwiysoohhkrhl.com | udp |
| US | 8.8.8.8:53 | yblmyabknhn.com | udp |
| US | 8.8.8.8:53 | rbafexvqgsmmnnvfv.com | udp |
| US | 8.8.8.8:53 | nkootxbt.com | udp |
| US | 8.8.8.8:53 | anypbvojndegpnm.com | udp |
| DE | 46.165.220.143:443 | anypbvojndegpnm.com | tcp |
| US | 8.8.8.8:53 | apimyackpqd.com | udp |
| US | 8.8.8.8:53 | jptkockakusewlaqfdt.com | udp |
| US | 8.8.8.8:53 | kbohjdsc.com | udp |
| US | 8.8.8.8:53 | qxthcmscxhradd.com | udp |
| US | 8.8.8.8:53 | ldyyuwwwgw.com | udp |
| US | 8.8.8.8:53 | eonvwoabjwow.com | udp |
| US | 8.8.8.8:53 | rrnuptrt.com | udp |
| US | 8.8.8.8:53 | ksynclhbmctx.com | udp |
| US | 8.8.8.8:53 | nwakycbynypuhbpkpx.com | udp |
| US | 8.8.8.8:53 | kabywdoswjvqgdso.com | udp |
| US | 8.8.8.8:53 | miafnrcwjddy.com | udp |
| US | 8.8.8.8:53 | lnolxrnhb.com | udp |
| US | 8.8.8.8:53 | fjegwqbvoae.com | udp |
| US | 8.8.8.8:53 | ryauwismekfu.com | udp |
| US | 8.8.8.8:53 | njopiyisfxnxw.com | udp |
| US | 8.8.8.8:53 | kuftuiyxrlyrbffu.com | udp |
| US | 8.8.8.8:53 | xjxsswjhxpfekmlcwv.com | udp |
| US | 8.8.8.8:53 | xpgpwjnpcgatgypiepg.com | udp |
| US | 8.8.8.8:53 | hrwgpaisqjtadka.com | udp |
| US | 8.8.8.8:53 | xtjjsdpqjrckayml.com | udp |
| US | 8.8.8.8:53 | rirbqsrjqsnw.com | udp |
| US | 8.8.8.8:53 | jmdqxtwclkxellkxgn.com | udp |
| US | 8.8.8.8:53 | ggplhlwurkffvsfxxdh.com | udp |
| US | 8.8.8.8:53 | gjkdyorakldhem.com | udp |
| US | 8.8.8.8:53 | gmajhefkqm.com | udp |
| US | 8.8.8.8:53 | iaoaagmfylemjyq.com | udp |
| US | 8.8.8.8:53 | mesctomcqxdvseeesd.com | udp |
| US | 8.8.8.8:53 | hbjgehxcf.com | udp |
| US | 8.8.8.8:53 | xhxiowpga.com | udp |
| US | 8.8.8.8:53 | ypwubsqx.com | udp |
| US | 8.8.8.8:53 | gadwjccnb.com | udp |
| US | 8.8.8.8:53 | lecgcbtmbnofr.com | udp |
| US | 8.8.8.8:53 | wgyndijomue.com | udp |
| US | 8.8.8.8:53 | riacjyielwbe.com | udp |
| US | 8.8.8.8:53 | clufudjixpqmyspofp.com | udp |
| US | 8.8.8.8:53 | otfbjejwjvcno.com | udp |
| US | 8.8.8.8:53 | takpkwhluhhediie.com | udp |
| US | 8.8.8.8:53 | ieqpusccgyvca.com | udp |
| US | 8.8.8.8:53 | pqqvrioftjalqahlo.com | udp |
| US | 8.8.8.8:53 | omqluoghcqw.com | udp |
| US | 8.8.8.8:53 | oxlbfdxd.com | udp |
| US | 8.8.8.8:53 | ciqeutekeaojdxcxu.com | udp |
| US | 8.8.8.8:53 | udyrxoed.com | udp |
| US | 8.8.8.8:53 | qfdufqnr.com | udp |
| US | 8.8.8.8:53 | uuwqjcksfo.com | udp |
| US | 8.8.8.8:53 | fjaapqjsqreelq.com | udp |
| US | 8.8.8.8:53 | yywtmnpgo.com | udp |
| US | 8.8.8.8:53 | owjvhbqartmagudc.com | udp |
| US | 8.8.8.8:53 | lvhsmwthsn.com | udp |
| US | 8.8.8.8:53 | xsmhhtctdkvikelygk.com | udp |
| US | 8.8.8.8:53 | fymctauygyk.com | udp |
| US | 8.8.8.8:53 | attqfideqdholwyafo.com | udp |
| US | 8.8.8.8:53 | lhvlyhgojmdtq.com | udp |
| US | 8.8.8.8:53 | pbpanibyxfajxlr.com | udp |
| US | 8.8.8.8:53 | wbuvoybqnqsbmhcdcfs.com | udp |
| US | 8.8.8.8:53 | ijjuircfabvpqh.com | udp |
| US | 8.8.8.8:53 | mrigtuhohkbsju.com | udp |
| US | 8.8.8.8:53 | iueenjqheehbvhpkp.com | udp |
| US | 8.8.8.8:53 | wpahyhff.com | udp |
| US | 8.8.8.8:53 | nfadxfjmdfvqpj.com | udp |
| US | 8.8.8.8:53 | hgbstappdn.com | udp |
| US | 8.8.8.8:53 | lkvcgnfsyhvlugcap.com | udp |
| US | 8.8.8.8:53 | llhbeoxrxoqk.com | udp |
| US | 8.8.8.8:53 | jdcfoplrebamtbcqa.com | udp |
| US | 8.8.8.8:53 | hjxaihieibafwv.com | udp |
| US | 8.8.8.8:53 | xyttylxriaj.com | udp |
| US | 8.8.8.8:53 | jlormrurxa.com | udp |
| US | 8.8.8.8:53 | gpngcqfqrjmfydxckai.com | udp |
| US | 8.8.8.8:53 | xsflgqxa.com | udp |
| US | 8.8.8.8:53 | ecguxgqdjcyhggfk.com | udp |
| US | 8.8.8.8:53 | vqokjkmppvllwxuk.com | udp |
| US | 8.8.8.8:53 | ybxgengtxtycjemmqng.com | udp |
| US | 8.8.8.8:53 | mshvgpvvs.com | udp |
| US | 8.8.8.8:53 | tuddhpqmbadaaht.com | udp |
| US | 8.8.8.8:53 | uxxykffflohlhskeyi.com | udp |
| US | 8.8.8.8:53 | iibdbafng.com | udp |
| US | 8.8.8.8:53 | rcsllpxjlsypet.com | udp |
| US | 8.8.8.8:53 | xfjiribvjqd.com | udp |
| US | 8.8.8.8:53 | mmxqkwglxtdtor.com | udp |
| US | 8.8.8.8:53 | nvsgajhivvn.com | udp |
| US | 8.8.8.8:53 | prqerbwwjvw.com | udp |
| US | 8.8.8.8:53 | xorutrhmdjwmfcpgsvq.com | udp |
| US | 8.8.8.8:53 | gnmbqnxvumfclqyug.com | udp |
| US | 8.8.8.8:53 | iblgthye.com | udp |
| US | 8.8.8.8:53 | yktervxj.com | udp |
| US | 8.8.8.8:53 | bfbbvadypijthjh.com | udp |
| US | 8.8.8.8:53 | hhtxwgap.com | udp |
| US | 8.8.8.8:53 | ptxfoqfjjxhdnekeh.com | udp |
| US | 8.8.8.8:53 | fmwuiydsiqsporrgw.com | udp |
| US | 8.8.8.8:53 | faexhycctgxdl.com | udp |
| US | 8.8.8.8:53 | eehckdyaxxjqhdo.com | udp |
| US | 8.8.8.8:53 | cdorpnmmafnomwyeny.com | udp |
| US | 8.8.8.8:53 | rxatjyykg.com | udp |
| US | 8.8.8.8:53 | yrluloqkxujrvv.com | udp |
| US | 8.8.8.8:53 | mmdchhrh.com | udp |
| US | 8.8.8.8:53 | ltqgnbgqukixovfdaoi.com | udp |
| US | 8.8.8.8:53 | vqurlimfhvxttpjr.com | udp |
| US | 8.8.8.8:53 | buoprdhrhaighfcfl.com | udp |
| US | 8.8.8.8:53 | lvmmllrmkpdll.com | udp |
| US | 8.8.8.8:53 | cbscmebdlyfkdeeasmu.com | udp |
| US | 8.8.8.8:53 | nucpjoumgxmhndsob.com | udp |
| US | 8.8.8.8:53 | xqelqiidxspuqvi.com | udp |
| US | 8.8.8.8:53 | osajklwmmhjp.com | udp |
| US | 8.8.8.8:53 | qdonhyqsieseoqlm.com | udp |
| US | 8.8.8.8:53 | gaohkehqjs.com | udp |
| US | 8.8.8.8:53 | nulthurgrjvwqokbic.com | udp |
| US | 8.8.8.8:53 | lrpvmktouq.com | udp |
| US | 8.8.8.8:53 | sohwjlifxvlmfguite.com | udp |
| US | 8.8.8.8:53 | hpswpjjmvccxmimedi.com | udp |
| US | 8.8.8.8:53 | ecuamsraikwrwki.com | udp |
| US | 8.8.8.8:53 | kyonhkyryembre.com | udp |
| US | 8.8.8.8:53 | vcxkjqaswogrbmqgfyf.com | udp |
| US | 8.8.8.8:53 | ksewxcnjo.com | udp |
| US | 8.8.8.8:53 | xllnolng.com | udp |
| US | 8.8.8.8:53 | treayxvaoaqol.com | udp |
| US | 8.8.8.8:53 | uoqdcxvy.com | udp |
| US | 8.8.8.8:53 | xjhhggbuufmlirsmgjx.com | udp |
| US | 8.8.8.8:53 | dsooagtnljlwfpmewvm.com | udp |
| US | 8.8.8.8:53 | cwnwhjtgqtt.com | udp |
| US | 8.8.8.8:53 | dcdtpewhb.com | udp |
| US | 8.8.8.8:53 | havonolwc.com | udp |
| US | 8.8.8.8:53 | yvywhtknppwkfcfvyhj.com | udp |
| US | 8.8.8.8:53 | yniktagnfeuapbkkjm.com | udp |
| US | 8.8.8.8:53 | eijabgcrvhynghfx.com | udp |
| US | 8.8.8.8:53 | vomdkymumbypgiqba.com | udp |
| US | 8.8.8.8:53 | gggyexvskphnets.com | udp |
| US | 8.8.8.8:53 | ivjbicjj.com | udp |
| US | 8.8.8.8:53 | qqtxsbps.com | udp |
| US | 8.8.8.8:53 | ljxvlmvyyqjch.com | udp |
| US | 8.8.8.8:53 | kfucikjlowsaypemxe.com | udp |
| US | 8.8.8.8:53 | uqmgwttutorxwgums.com | udp |
| US | 8.8.8.8:53 | dtqmfjuwgawuoswof.com | udp |
| US | 8.8.8.8:53 | hvjunwdwyoypxkk.com | udp |
| US | 8.8.8.8:53 | uhguoyhafk.com | udp |
| US | 8.8.8.8:53 | nyigwkvffift.com | udp |
| US | 8.8.8.8:53 | gllurecirqjdybfy.com | udp |
| US | 8.8.8.8:53 | jkocxjytlxvytl.com | udp |
| US | 8.8.8.8:53 | oqrmgtfyglxye.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.180.14:80 | google.com | tcp |
| GB | 142.250.180.14:80 | google.com | tcp |
Files
memory/2908-0-0x0000000000400000-0x0000000000439FE4-memory.dmp
memory/2908-1-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2908-5-0x0000000000400000-0x0000000000439FE4-memory.dmp
memory/2908-4-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2908-3-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2908-37-0x000000007707F000-0x0000000077080000-memory.dmp
memory/2388-19-0x0000000020010000-0x000000002001C000-memory.dmp
memory/2388-18-0x0000000020010000-0x000000002001C000-memory.dmp
memory/1148-44-0x0000000020010000-0x000000002002C000-memory.dmp
memory/1148-50-0x0000000020010000-0x000000002002C000-memory.dmp
memory/2908-52-0x0000000077080000-0x0000000077081000-memory.dmp
memory/1148-43-0x0000000020010000-0x000000002002C000-memory.dmp
C:\Users\Admin\AppData\Local\tgykyajt\xbrydqmx.exe
| MD5 | 16cf1b5fdb75b32737e162897992e252 |
| SHA1 | 0770aab281b2b6c9ef1c422db33e9fcffc5a8189 |
| SHA256 | 3224d36db7a560fe8bedc982346e41c78c9704e00bf9085f0a3ef0b491710715 |
| SHA512 | aec0a85790ffcaf93be518e0ae1982f3ce5b1d6b042dc2866d56a9b649ca8f43be7377d4a8fbb413e282935b9b926aa9ce70ea71a1319c5a4a1598eeb264ad17 |
memory/2388-17-0x0000000020010000-0x000000002001C000-memory.dmp
memory/2388-13-0x0000000020010000-0x000000002001C000-memory.dmp
memory/2908-36-0x0000000077080000-0x0000000077081000-memory.dmp
memory/2388-35-0x0000000000060000-0x0000000000061000-memory.dmp
memory/2388-34-0x0000000000050000-0x0000000000051000-memory.dmp
memory/2388-33-0x0000000000070000-0x0000000000071000-memory.dmp
memory/1148-29-0x0000000020010000-0x000000002002C000-memory.dmp
memory/1148-23-0x0000000020010000-0x000000002002C000-memory.dmp
memory/2388-9-0x0000000000050000-0x0000000000051000-memory.dmp
memory/2388-7-0x0000000020010000-0x000000002001C000-memory.dmp
memory/1148-54-0x0000000020010000-0x000000002002C000-memory.dmp
memory/1148-63-0x0000000020010000-0x000000002002C000-memory.dmp
memory/2908-64-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2908-65-0x0000000000400000-0x0000000000439FE4-memory.dmp
memory/2908-83-0x000000007707F000-0x0000000077080000-memory.dmp
memory/2908-82-0x0000000002650000-0x000000000268A000-memory.dmp
memory/2908-81-0x0000000002650000-0x000000000268A000-memory.dmp
memory/2908-74-0x0000000002640000-0x000000000267A000-memory.dmp
memory/2908-73-0x0000000002640000-0x000000000267A000-memory.dmp
memory/1716-90-0x0000000000400000-0x0000000000439FE4-memory.dmp
memory/1716-89-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1148-91-0x0000000020010000-0x000000002002C000-memory.dmp
memory/1148-92-0x0000000020010000-0x000000002002C000-memory.dmp
memory/1148-93-0x0000000020010000-0x000000002002C000-memory.dmp
memory/1148-94-0x0000000020010000-0x000000002002C000-memory.dmp
memory/1148-95-0x0000000020010000-0x000000002002C000-memory.dmp
memory/1148-97-0x0000000020010000-0x000000002002C000-memory.dmp
memory/1148-98-0x0000000020010000-0x000000002002C000-memory.dmp
memory/1148-99-0x0000000020010000-0x000000002002C000-memory.dmp
memory/1148-100-0x0000000020010000-0x000000002002C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-05 07:51
Reported
2024-10-05 07:54
Platform
win10v2004-20240802-en
Max time kernel
92s
Max time network
143s
Command Line
Signatures
Ramnit
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\16cf1b5fdb75b32737e162897992e252_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smbosisrbhdfrsqw.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smbosisrbhdfrsqw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\16cf1b5fdb75b32737e162897992e252_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135483" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135483" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135483" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2527430714" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B65C26D5-82EE-11EF-9A03-DA2E3A28CA1B} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2329774363" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135483" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2327743443" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2327743443" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434879699" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\16cf1b5fdb75b32737e162897992e252_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\16cf1b5fdb75b32737e162897992e252_JaffaCakes118.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\smbosisrbhdfrsqw.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\smbosisrbhdfrsqw.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\16cf1b5fdb75b32737e162897992e252_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\16cf1b5fdb75b32737e162897992e252_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1144 -ip 1144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 204
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3544 CREDAT:17410 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3260 -ip 3260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 204
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3544 CREDAT:17416 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\smbosisrbhdfrsqw.exe
"C:\Users\Admin\AppData\Local\Temp\smbosisrbhdfrsqw.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/1932-0-0x0000000000400000-0x0000000000439FE4-memory.dmp
memory/1932-1-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1932-2-0x0000000000400000-0x0000000000439FE4-memory.dmp
memory/1932-4-0x00000000008F0000-0x00000000008F1000-memory.dmp
memory/1932-6-0x0000000000400000-0x0000000000439FE4-memory.dmp
memory/1932-5-0x0000000000900000-0x0000000000901000-memory.dmp
memory/1932-7-0x0000000020010000-0x000000002001C000-memory.dmp
memory/1144-9-0x0000000000600000-0x0000000000601000-memory.dmp
memory/1144-8-0x0000000000620000-0x0000000000621000-memory.dmp
memory/1932-10-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1932-11-0x0000000000400000-0x0000000000439FE4-memory.dmp
memory/1932-17-0x0000000077362000-0x0000000077363000-memory.dmp
memory/1932-13-0x0000000000400000-0x0000000000439FE4-memory.dmp
memory/1932-18-0x0000000000400000-0x0000000000439FE4-memory.dmp
memory/1932-19-0x0000000000400000-0x0000000000439FE4-memory.dmp
memory/1932-20-0x0000000077362000-0x0000000077363000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | db7c83e09ebc4317f2bf2df7f66b8513 |
| SHA1 | 29d58ef43f72ce7cf79ce6109d038a6c9b4873f0 |
| SHA256 | 1ae4c8aa37bf433bc5b3b45e017c95bf843c7dbbe348c78c7ab6f3cad0fda4b8 |
| SHA512 | 6eb46ae0c3e091ba13b1c0e3fb6de568882940df7968d0e1297568ea5356a4691f2a869c7c9ac9e9642bcc2e4e1388d00b15c663276143e8cb5015ab89c27867 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 90b9cad631915f24849acd63937e79e8 |
| SHA1 | de1e107005e94f40409f2c3ec31b5c7c94011883 |
| SHA256 | 8db28400adee8ea5ac24ff8f6dda1f0019ac04c7484e9f3a7648188ac18a27cd |
| SHA512 | c8c60b0a3766a9fd822ab8bdfdc71ffd0c3f3cb8ab3506755417d2f3398e02d38f85442584cf431d245201fcb8ca345d127d519ec39647af0c287bc04380d363 |
C:\Users\Admin\AppData\Local\Temp\smbosisrbhdfrsqw.exe
| MD5 | 16cf1b5fdb75b32737e162897992e252 |
| SHA1 | 0770aab281b2b6c9ef1c422db33e9fcffc5a8189 |
| SHA256 | 3224d36db7a560fe8bedc982346e41c78c9704e00bf9085f0a3ef0b491710715 |
| SHA512 | aec0a85790ffcaf93be518e0ae1982f3ce5b1d6b042dc2866d56a9b649ca8f43be7377d4a8fbb413e282935b9b926aa9ce70ea71a1319c5a4a1598eeb264ad17 |
memory/1932-38-0x0000000000400000-0x000000000043A000-memory.dmp
memory/5012-42-0x0000000000400000-0x0000000000439FE4-memory.dmp
memory/5012-41-0x0000000000400000-0x000000000043A000-memory.dmp
memory/5012-45-0x0000000000400000-0x0000000000439FE4-memory.dmp
memory/5012-44-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FGWUB7UN\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |