Malware Analysis Report

2024-10-18 23:13

Sample ID 241013-ctsxvaycrn
Target 3d43c7a4be9da757591f4052c133b58f_JaffaCakes118
SHA256 d572a3e702f57df2dd68da71520522dea73e0b71e4d7087361fafb8d3afa75a5
Tags
stealer eternity discovery evasion spyware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d572a3e702f57df2dd68da71520522dea73e0b71e4d7087361fafb8d3afa75a5

Threat Level: Known bad

The file 3d43c7a4be9da757591f4052c133b58f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

stealer eternity discovery evasion spyware trojan upx

Eternity family

Contains code to disable Windows Defender

Eternity

Modifies Windows Defender Real-time Protection settings

Detects Eternity stealer

NirSoft WebBrowserPassView

Detected Nirsoft tools

Disables Task Manager via registry modification

Reads user/profile data of web browsers

Windows security modification

Drops startup file

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

UPX packed file

Unsigned PE

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 02:22

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detects Eternity stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Eternity family

eternity

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 02:22

Reported

2024-10-13 02:25

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detects Eternity stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Eternity

eternity

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bfsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\winhlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\splwow64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xwizard.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tarmcucx.dnn\dd.exe
PID 2248 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tarmcucx.dnn\dd.exe
PID 2248 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tarmcucx.dnn\dd.exe
PID 2248 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe C:\Windows\system32\WerFault.exe
PID 2248 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe C:\Windows\system32\WerFault.exe
PID 2248 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe C:\Windows\system32\WerFault.exe
PID 2816 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\tarmcucx.dnn\dd.exe C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
PID 2816 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\tarmcucx.dnn\dd.exe C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
PID 2816 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\tarmcucx.dnn\dd.exe C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
PID 2216 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 2216 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 2216 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 1152 wrote to memory of 1368 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1152 wrote to memory of 1368 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1152 wrote to memory of 1368 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1368 wrote to memory of 2104 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
PID 1368 wrote to memory of 2104 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
PID 1368 wrote to memory of 2104 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
PID 1368 wrote to memory of 2104 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
PID 2216 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 2216 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 2216 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 1632 wrote to memory of 2416 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1632 wrote to memory of 2416 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1632 wrote to memory of 2416 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2416 wrote to memory of 1964 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
PID 2416 wrote to memory of 1964 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
PID 2416 wrote to memory of 1964 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
PID 2416 wrote to memory of 1964 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
PID 2216 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 2216 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 2216 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 1684 wrote to memory of 1724 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1684 wrote to memory of 1724 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1684 wrote to memory of 1724 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1724 wrote to memory of 872 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
PID 1724 wrote to memory of 872 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
PID 1724 wrote to memory of 872 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
PID 1724 wrote to memory of 872 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
PID 1724 wrote to memory of 1532 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\splwow64.exe
PID 1724 wrote to memory of 1532 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\splwow64.exe
PID 1724 wrote to memory of 1532 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\splwow64.exe
PID 1724 wrote to memory of 1532 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\splwow64.exe
PID 1724 wrote to memory of 1784 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\hh.exe
PID 1724 wrote to memory of 1784 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\hh.exe
PID 1724 wrote to memory of 1784 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\hh.exe
PID 1724 wrote to memory of 1784 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\hh.exe
PID 2216 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 2216 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 2216 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 1564 wrote to memory of 860 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1564 wrote to memory of 860 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1564 wrote to memory of 860 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 860 wrote to memory of 1404 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\xwizard.exe
PID 860 wrote to memory of 1404 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\xwizard.exe
PID 860 wrote to memory of 1404 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\xwizard.exe
PID 860 wrote to memory of 1404 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\xwizard.exe
PID 2216 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\cmd.exe
PID 2216 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\cmd.exe
PID 2216 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\cmd.exe
PID 2636 wrote to memory of 2212 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\choice.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Users\Admin\AppData\Local\Temp\tarmcucx.dnn\dd.exe

"C:\Users\Admin\AppData\Local\Temp\tarmcucx.dnn\dd.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2248 -s 1124

C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs6muX+SLVfepJcK7ZJtwoeVF785WCnIoIuzIhyWNzKgwvuOrXCyijC3rKE0OC9XJFZ56fDgGKqTpMYXxm7p5+tZ4Ex1prba4YUN0IODgr5FUXGOh802CtM6AuQYF6lIYIA=

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c compile.bat

C:\Users\Admin\AppData\Local\Temp\bfsvc.exe

C:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c compile.bat

C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe

C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c compile.bat

C:\Users\Admin\AppData\Local\Temp\winhlp32.exe

C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"

C:\Users\Admin\AppData\Local\Temp\splwow64.exe

C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"

C:\Users\Admin\AppData\Local\Temp\hh.exe

C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c compile.bat

C:\Users\Admin\AppData\Local\Temp\xwizard.exe

C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 itroublvehacker.gq udp
US 8.8.8.8:53 api64.ipify.org udp
US 104.237.62.213:443 api64.ipify.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp

Files

memory/2248-0-0x000007FEF5633000-0x000007FEF5634000-memory.dmp

memory/2248-1-0x00000000000D0000-0x000000000076C000-memory.dmp

memory/2248-2-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

memory/2248-3-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

memory/2248-4-0x000000001BD30000-0x000000001C046000-memory.dmp

memory/2248-6-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

memory/2248-5-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

memory/2248-7-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

memory/2248-8-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

memory/2736-15-0x000007FEECDCE000-0x000007FEECDCF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tarmcucx.dnn\dd.exe

MD5 86f99a591d58073029e3a9d74cdd7217
SHA1 50495581f8969122e31ecf2647212e655aad8d15
SHA256 5be174b8ccfec18e449b6f8358a4c51100fd1cbd36f82876f3cd2a4c21fe360d
SHA512 8e553e0fd9486761f548d98c46fe1e4e568ad2d0bef6a422e07b8900b6b0152b6544e74a3dec5208211a6ec807ddbfa107f465068338a1060ac66cb261888be6

memory/2816-20-0x0000000000E00000-0x00000000010DE000-memory.dmp

memory/2736-21-0x0000000002640000-0x0000000002648000-memory.dmp

memory/2736-19-0x000000001B780000-0x000000001BA62000-memory.dmp

memory/2736-22-0x000007FEECB10000-0x000007FEED4AD000-memory.dmp

memory/2736-23-0x000007FEECB10000-0x000007FEED4AD000-memory.dmp

memory/2736-24-0x000007FEECB10000-0x000007FEED4AD000-memory.dmp

memory/2736-25-0x000007FEECB10000-0x000007FEED4AD000-memory.dmp

memory/2736-26-0x000007FEECB10000-0x000007FEED4AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

MD5 88ab0bb59b0b20816a833ba91c1606d3
SHA1 72c09b7789a4bac8fee41227d101daed8437edeb
SHA256 f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA512 05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

memory/2216-36-0x0000000000890000-0x0000000000B6A000-memory.dmp

memory/2216-37-0x000000001B390000-0x000000001B6D2000-memory.dmp

memory/2216-38-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/2216-39-0x00000000025C0000-0x0000000002670000-memory.dmp

memory/2248-70-0x000007FEF5633000-0x000007FEF5634000-memory.dmp

memory/2248-71-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\config

MD5 5cf0b95f68c3304427f858db1cdde895
SHA1 a0c5c3872307e9497f8868b9b8b956b9736a9cdf
SHA256 353de1200b65a2e89e84b32067a908103cca22ad2e51ba62c171eef3c25b73aa
SHA512 5c11c4ebcd4663d02ee3ffc19b7ec83b953dca7a7a1d2b63edaab72425a61e926ac940d99f2faa6b1baba0d28068e8f3ae64105990e0a0626ba02d8f979b455b

memory/2248-73-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

memory/2216-75-0x0000000002440000-0x000000000244C000-memory.dmp

memory/2216-74-0x00000000024E0000-0x0000000002510000-memory.dmp

memory/2216-77-0x000000001AB40000-0x000000001AB72000-memory.dmp

memory/2216-76-0x0000000002510000-0x000000000252A000-memory.dmp

memory/2216-78-0x000000001B100000-0x000000001B1A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\compile.vbs

MD5 ca906422a558f4bc9e471709f62ec1a9
SHA1 e3da070007fdeae52779964df6f71fcb697ffb06
SHA256 abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee
SHA512 661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

C:\Users\Admin\AppData\Local\Temp\compile.bat

MD5 d90accebb3f79fe65cd938425c07b0ae
SHA1 9df3812a88d87dd419cd9e89afa5fb1d71be0dc9
SHA256 aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e
SHA512 44013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560

C:\Users\Admin\AppData\Local\Temp\bfsvc.exe

MD5 899d3ed011eb58459b8a4fc2b81f0924
SHA1 80361f1e0b93143ec1ddfee156760f5938c85791
SHA256 5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954
SHA512 802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05

C:\Users\Admin\AppData\Local\Temp\bfsvc.cfg

MD5 5242530a2b65089696f3cf8e5ee02ff7
SHA1 d604293148cdd953b3368c54920c043cffe9e1c1
SHA256 239a1d9844ddbd0e650f8e5de69a2a40067106a79878fa4948a8039f1573b781
SHA512 7aafe122d3b7b9d377f689a872c2306c3b04d5a8a7e4df69b65370e48356db416b5cacc6681a1f7315d0ad730fd12b651115a81bd4c880033e5ef89fa605c39a

C:\Users\Admin\AppData\Local\Temp\compile.bat

MD5 808099bfbd62ec04f0ed44959bbc6160
SHA1 f4b6853d958c2c4416f6e4a5be8a11d86f64c023
SHA256 f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8
SHA512 e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0

C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe

MD5 053778713819beab3df309df472787cd
SHA1 99c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256 f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA512 35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\compile.bat

MD5 eb51755b637423154d1341c6ee505f50
SHA1 d71d27e283b26e75e58c0d02f91d91a2e914c959
SHA256 db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9
SHA512 e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5

C:\Users\Admin\AppData\Local\Temp\winhlp32.exe

MD5 a776e68f497c996788b406a3dc5089eb
SHA1 45bf5e512752389fe71f20b64aa344f6ca0cad50
SHA256 071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1
SHA512 02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

memory/872-112-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1532-122-0x0000000000400000-0x000000000041B000-memory.dmp

memory/872-118-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1532-117-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\splwow64.exe

MD5 0d8360781e488e250587a17fbefa646c
SHA1 29bc9b438efd70defa8fc45a6f8ee524143f6d04
SHA256 ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64
SHA512 940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

C:\Users\Admin\AppData\Local\Temp\hh.exe

MD5 4d4c98eca32b14aeb074db34cd0881e4
SHA1 92f213d609bba05d41d6941652a88c44936663a4
SHA256 4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f
SHA512 959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

C:\Users\Admin\AppData\Local\Temp\compile.bat

MD5 91128da441ad667b8c54ebeadeca7525
SHA1 24b5c77fb68db64cba27c338e4373a455111a8cc
SHA256 50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873
SHA512 bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd

C:\Users\Admin\AppData\Local\Temp\xwizard.cfg

MD5 ae8eed5a6b1470aec0e7fece8b0669ef
SHA1 ca0e896f90c38f3a8bc679ea14c808726d8ef730
SHA256 3f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e
SHA512 e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6

C:\Users\Admin\AppData\Local\Temp\xwizard.exe

MD5 df991217f1cfadd9acfa56f878da5ee7
SHA1 0b03b34cfb2985a840db279778ca828e69813116
SHA256 deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112
SHA512 175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316

C:\Users\Admin\AppData\Local\Temp\bhv34D6.tmp

MD5 4f534897ed6b76d94e3a55c9b72e1369
SHA1 710415a5e4d2d763fd6211f90817803f59d9bd3c
SHA256 9829a11bd564d8f37579016582683bb9989ba3d0a4f38689bdba83a05ccf8677
SHA512 5e4bff61663750ae25c63e8a424f7d886bcd2ad68a120e9a0723a12a8ed62d5640860db05288c3c25f22524a30c4712ccf798436d700f5ee4b10b593f872e2c0

C:\Users\Admin\AppData\Local\Temp\whysosad

MD5 fc3c88c2080884d6c995d48e172fbc4f
SHA1 cb1dcc479ad2533f390786b0480f66296b847ad3
SHA256 1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664
SHA512 4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-13 02:22

Reported

2024-10-13 02:25

Platform

win10v2004-20241007-en

Max time kernel

98s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detects Eternity stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Eternity

eternity

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\n2exwt2m.pe0\dd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\winhlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\splwow64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xwizard.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bfsvc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1200 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1200 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\n2exwt2m.pe0\dd.exe
PID 1200 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\n2exwt2m.pe0\dd.exe
PID 2200 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\n2exwt2m.pe0\dd.exe C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
PID 2200 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\n2exwt2m.pe0\dd.exe C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
PID 2632 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 2632 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 1028 wrote to memory of 1548 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1028 wrote to memory of 1548 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1548 wrote to memory of 4012 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
PID 1548 wrote to memory of 4012 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
PID 1548 wrote to memory of 4012 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
PID 2632 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 2632 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 2780 wrote to memory of 1252 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2780 wrote to memory of 1252 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1252 wrote to memory of 2104 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
PID 1252 wrote to memory of 2104 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
PID 1252 wrote to memory of 2104 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
PID 2632 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 2632 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 3116 wrote to memory of 4624 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3116 wrote to memory of 4624 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4624 wrote to memory of 4692 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
PID 4624 wrote to memory of 4692 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
PID 4624 wrote to memory of 4692 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
PID 4624 wrote to memory of 3344 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\splwow64.exe
PID 4624 wrote to memory of 3344 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\splwow64.exe
PID 4624 wrote to memory of 3344 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\splwow64.exe
PID 4624 wrote to memory of 2848 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\hh.exe
PID 4624 wrote to memory of 2848 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\hh.exe
PID 4624 wrote to memory of 2848 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\hh.exe
PID 2632 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 2632 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\WScript.exe
PID 4368 wrote to memory of 4440 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4368 wrote to memory of 4440 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4440 wrote to memory of 4424 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\xwizard.exe
PID 4440 wrote to memory of 4424 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\xwizard.exe
PID 4440 wrote to memory of 4424 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\xwizard.exe
PID 2632 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\cmd.exe
PID 2632 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe C:\Windows\System32\cmd.exe
PID 2996 wrote to memory of 4476 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\choice.exe
PID 2996 wrote to memory of 4476 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\choice.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Users\Admin\AppData\Local\Temp\n2exwt2m.pe0\dd.exe

"C:\Users\Admin\AppData\Local\Temp\n2exwt2m.pe0\dd.exe"

C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs6muX+SLVfepJcK7ZJtwoeVF785WCnIoIuzIhyWNzKgwvuOrXCyijC3rKE0OC9XJFZ56fDgGKqTpMYXxm7p5+tZ4Ex1prba4YUN0IODgr5FUXGOh802CtM6AuQYF6lIYIA=

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c compile.bat

C:\Users\Admin\AppData\Local\Temp\bfsvc.exe

C:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c compile.bat

C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe

C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c compile.bat

C:\Users\Admin\AppData\Local\Temp\winhlp32.exe

C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"

C:\Users\Admin\AppData\Local\Temp\splwow64.exe

C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"

C:\Users\Admin\AppData\Local\Temp\hh.exe

C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c compile.bat

C:\Users\Admin\AppData\Local\Temp\xwizard.exe

C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 itroublvehacker.gq udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 api64.ipify.org udp
US 173.231.16.77:443 api64.ipify.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 77.16.231.173.in-addr.arpa udp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

memory/1200-0-0x00007FFCFB9A3000-0x00007FFCFB9A5000-memory.dmp

memory/1200-1-0x00000000001B0000-0x000000000084C000-memory.dmp

memory/1200-2-0x0000000002A70000-0x0000000002AC0000-memory.dmp

memory/1200-4-0x000000001B7D0000-0x000000001BAE6000-memory.dmp

memory/1200-3-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp

memory/1200-5-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp

memory/1200-7-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp

memory/1200-8-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\n2exwt2m.pe0\dd.exe

MD5 86f99a591d58073029e3a9d74cdd7217
SHA1 50495581f8969122e31ecf2647212e655aad8d15
SHA256 5be174b8ccfec18e449b6f8358a4c51100fd1cbd36f82876f3cd2a4c21fe360d
SHA512 8e553e0fd9486761f548d98c46fe1e4e568ad2d0bef6a422e07b8900b6b0152b6544e74a3dec5208211a6ec807ddbfa107f465068338a1060ac66cb261888be6

memory/1200-20-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp

memory/2200-19-0x00000144D0D50000-0x00000144D102E000-memory.dmp

memory/3044-21-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp

memory/3044-22-0x000001AF78730000-0x000001AF78752000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ewaoahct.et5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3044-32-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp

memory/3044-33-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp

memory/2200-34-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

MD5 88ab0bb59b0b20816a833ba91c1606d3
SHA1 72c09b7789a4bac8fee41227d101daed8437edeb
SHA256 f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA512 05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

memory/3044-49-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp

memory/2200-52-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp

memory/2632-55-0x00000220FF390000-0x00000220FF66A000-memory.dmp

memory/2632-56-0x000002209A190000-0x000002209A4D2000-memory.dmp

memory/2632-57-0x0000022081810000-0x0000022081816000-memory.dmp

memory/2632-58-0x00000220FFA80000-0x00000220FFAF6000-memory.dmp

memory/2632-59-0x000002209A4D0000-0x000002209A580000-memory.dmp

memory/1200-90-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\config

MD5 5cf0b95f68c3304427f858db1cdde895
SHA1 a0c5c3872307e9497f8868b9b8b956b9736a9cdf
SHA256 353de1200b65a2e89e84b32067a908103cca22ad2e51ba62c171eef3c25b73aa
SHA512 5c11c4ebcd4663d02ee3ffc19b7ec83b953dca7a7a1d2b63edaab72425a61e926ac940d99f2faa6b1baba0d28068e8f3ae64105990e0a0626ba02d8f979b455b

memory/2632-93-0x000002209B070000-0x000002209B07C000-memory.dmp

memory/2632-95-0x000002209B080000-0x000002209B0B2000-memory.dmp

memory/2632-94-0x00000220FF9C0000-0x00000220FF9DA000-memory.dmp

memory/2632-92-0x000002209A150000-0x000002209A180000-memory.dmp

memory/2632-96-0x000002209B0E0000-0x000002209B182000-memory.dmp

memory/2632-97-0x00000220FF9A0000-0x00000220FF9A8000-memory.dmp

memory/2632-101-0x00000220FFA50000-0x00000220FFA6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\compile.vbs

MD5 ca906422a558f4bc9e471709f62ec1a9
SHA1 e3da070007fdeae52779964df6f71fcb697ffb06
SHA256 abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee
SHA512 661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

C:\Users\Admin\AppData\Local\Temp\compile.bat

MD5 d90accebb3f79fe65cd938425c07b0ae
SHA1 9df3812a88d87dd419cd9e89afa5fb1d71be0dc9
SHA256 aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e
SHA512 44013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560

C:\Users\Admin\AppData\Local\Temp\bfsvc.exe

MD5 899d3ed011eb58459b8a4fc2b81f0924
SHA1 80361f1e0b93143ec1ddfee156760f5938c85791
SHA256 5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954
SHA512 802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05

C:\Users\Admin\AppData\Local\Temp\bfsvc.cfg

MD5 5242530a2b65089696f3cf8e5ee02ff7
SHA1 d604293148cdd953b3368c54920c043cffe9e1c1
SHA256 239a1d9844ddbd0e650f8e5de69a2a40067106a79878fa4948a8039f1573b781
SHA512 7aafe122d3b7b9d377f689a872c2306c3b04d5a8a7e4df69b65370e48356db416b5cacc6681a1f7315d0ad730fd12b651115a81bd4c880033e5ef89fa605c39a

C:\Users\Admin\AppData\Local\Temp\compile.bat

MD5 808099bfbd62ec04f0ed44959bbc6160
SHA1 f4b6853d958c2c4416f6e4a5be8a11d86f64c023
SHA256 f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8
SHA512 e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0

C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe

MD5 053778713819beab3df309df472787cd
SHA1 99c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256 f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA512 35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt

MD5 c3c5f2de99b7486f697634681e21bab0
SHA1 00f90d495c0b2b63fde6532e033fdd2ade25633d
SHA256 76296dc29f718988107d35d0e0b835c2bf3fc7405e79e5121aa4738f82b51582
SHA512 7c60ffdc093de30e793d20768877f2f586bee3e948767871f9a1139252d5d2f593ba6f88ce0ed5f72c79faddb26186792df0581e4b6c84d405c44d9d12f951b8

C:\Users\Admin\AppData\Local\Temp\compile.bat

MD5 eb51755b637423154d1341c6ee505f50
SHA1 d71d27e283b26e75e58c0d02f91d91a2e914c959
SHA256 db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9
SHA512 e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5

C:\Users\Admin\AppData\Local\Temp\winhlp32.exe

MD5 a776e68f497c996788b406a3dc5089eb
SHA1 45bf5e512752389fe71f20b64aa344f6ca0cad50
SHA256 071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1
SHA512 02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

memory/4692-134-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\splwow64.exe

MD5 0d8360781e488e250587a17fbefa646c
SHA1 29bc9b438efd70defa8fc45a6f8ee524143f6d04
SHA256 ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64
SHA512 940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

memory/3344-137-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hh.exe

MD5 4d4c98eca32b14aeb074db34cd0881e4
SHA1 92f213d609bba05d41d6941652a88c44936663a4
SHA256 4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f
SHA512 959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

memory/3344-148-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4692-146-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cookies1

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\Cookies3

MD5 2a66151ff8f4df4f996d99abb362e793
SHA1 2bf1b19229b46e3da870b76b2bf6136e5378393d
SHA256 810a70cc17ddfcb562826f2d0c8317d95500e6532bed141cdccc5a15333622ef
SHA512 92d9391591a989d714b6ae9bbe5659993d5047847e0248fccdf1b628153686b5adc32839c93068625a28fb256d69342d0bdbb2e5e9bc1613416a651bb434250b

C:\Users\Admin\AppData\Local\Temp\compile.bat

MD5 91128da441ad667b8c54ebeadeca7525
SHA1 24b5c77fb68db64cba27c338e4373a455111a8cc
SHA256 50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873
SHA512 bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd

C:\Users\Admin\AppData\Local\Temp\xwizard.exe

MD5 df991217f1cfadd9acfa56f878da5ee7
SHA1 0b03b34cfb2985a840db279778ca828e69813116
SHA256 deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112
SHA512 175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316

C:\Users\Admin\AppData\Local\Temp\xwizard.cfg

MD5 ae8eed5a6b1470aec0e7fece8b0669ef
SHA1 ca0e896f90c38f3a8bc679ea14c808726d8ef730
SHA256 3f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e
SHA512 e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6

C:\Users\Admin\AppData\Local\Temp\bhvE6D6.tmp

MD5 391f49090a831c187485fe2f5dc11c1b
SHA1 dd10d034009bb5caf506797ec50c3728a2c40064
SHA256 4491fb5c75d5ec6e7b69a6a09921eeefe8480a1891819b4398e20bd71020b763
SHA512 019d00adc0e44741f84b7a3785769222d1636c4939ad56c65d6b25d1da9b94d30a2e4dd5a9e977d182ddf11f64f57e22591269c1e3f253144927a49606090279

C:\Users\Admin\AppData\Local\Temp\Admin_History.txt

MD5 b19b7a517f2a815566fce3026313bf39
SHA1 cf243c4fc48c3d04802fd91c0da5ce525990dc53
SHA256 bb644a745eb2a2269a686e4031ad2446a96473c49f329baea00a68ca514f264d
SHA512 856043f4dc358ac526037089245e5866920eda888566c3f86a4b6dbcaf7b35f05977f5144ff2ec428d0dbbe15f93bd59205327d686b49da2c83917661ee60197

C:\Users\Admin\AppData\Local\Temp\whysosad

MD5 fc3c88c2080884d6c995d48e172fbc4f
SHA1 cb1dcc479ad2533f390786b0480f66296b847ad3
SHA256 1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664
SHA512 4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1