Analysis Overview
SHA256
d0b4b43432238e361c9f553caa05df5c34c462d55bb18a6db5e076faaaf05da9
Threat Level: Known bad
The file 3e263a24122e03e6793a491bfda7942a_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
NetSupport
Loads dropped DLL
Deletes itself
Checks computer location settings
Executes dropped EXE
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 05:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 05:49
Reported
2024-10-13 05:52
Platform
win7-20240903-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
NetSupport
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Plib.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PlotManage.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-2FC8O.tmp\Plib.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\WCL.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Plib.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-2FC8O.tmp\Plib.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-2FC8O.tmp\Plib.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-2FC8O.tmp\Plib.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-2FC8O.tmp\Plib.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Plib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PlotManage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-2FC8O.tmp\Plib.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-2FC8O.tmp\Plib.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-2FC8O.tmp\Plib.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PlotManage.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-2FC8O.tmp\Plib.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Plib.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Plib.exe" /VERYSILENT /SP-
C:\Users\Admin\AppData\Local\Temp\PlotManage.exe
"C:\Users\Admin\AppData\Local\Temp\PlotManage.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 &Del "3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\is-2FC8O.tmp\Plib.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2FC8O.tmp\Plib.tmp" /SL5="$80218,2331902,780800,C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Plib.exe" /VERYSILENT /SP-
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 1
C:\Users\Admin\AppData\Roaming\WinSpo\WCL.exe
"C:\Users\Admin\AppData\Roaming\WinSpo\WCL.exe"
C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe
"C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1860 -s 604
Network
| Country | Destination | Domain | Proto |
| FI | 65.21.198.183:9183 | tcp | |
| US | 8.8.8.8:53 | donutduck.duckdns.org | udp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| NL | 82.115.223.32:1337 | donutduck.duckdns.org | tcp |
| US | 104.26.1.231:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | www.123xch.com | udp |
| US | 8.8.8.8:53 | coinduck.duckdns.org | udp |
| RU | 83.217.208.141:1337 | coinduck.duckdns.org | tcp |
| US | 8.8.8.8:53 | donutduck.duckdns.org | udp |
| NL | 82.115.223.32:1337 | donutduck.duckdns.org | tcp |
| US | 8.8.8.8:53 | coinduck.duckdns.org | udp |
| RU | 83.217.208.141:1337 | coinduck.duckdns.org | tcp |
Files
memory/2724-0-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp
memory/2724-1-0x00000000010C0000-0x0000000001664000-memory.dmp
memory/2724-2-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp
memory/2724-3-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp
memory/2724-4-0x000000001BDF0000-0x000000001C42C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Plib.exe
| MD5 | 725506d889dc290b57abee789f86d09e |
| SHA1 | 6239c0862a57a4a1859099a1fc6e70c52f3ee80e |
| SHA256 | b61c57ff173e99dc83c2b4c300072d2b98f86271202ec05f5c94fbf218839507 |
| SHA512 | 63a9f5a3f2f5d996a729cb0863ecf73aab4da047ef297483809113e367151974f8c27f958cd3ae867a179b2cdd4ecb6e4554fa649a395444d5f6226f5bf0ca4a |
C:\Users\Admin\AppData\Local\Temp\PlotManage.exe
| MD5 | 6cf6e85c530e2f6d6e28aa066b19c29b |
| SHA1 | 679cd8304321ab4615793fa24449163fa044fe28 |
| SHA256 | 760dbaef1a097bda49db17342e2bf27c334e3358a515dd53445b55cb01629a31 |
| SHA512 | 08ba349dbba2fc7d0117d3422a66505c166b82b8f3ceff78e7ff1799f6cba1a71a275ea8d7ac9d326cd88528124f5820c7abc3ce01d48828394ad5b9276fbd8b |
memory/2900-16-0x0000000000401000-0x00000000004B7000-memory.dmp
memory/2900-13-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2724-22-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-2FC8O.tmp\Plib.tmp
| MD5 | 669dc6230c96d8f4e1a831554f655427 |
| SHA1 | 91e57ce09970cba73e638d60ef2faf8bd6aa39ba |
| SHA256 | 35a088a72be2d2aa9c8f2285fbcabb5893582d6bc2dd355b107da081c999db82 |
| SHA512 | 4c6e4033b4287ba8efe3c1843dff0f2498e0ac53ee5993ad51a13879fb32ae65cc146cf25c1c716722c9b6b5affc6a1055939486a5ea2d46f4dfa8809b6489b8 |
memory/2628-28-0x0000000000830000-0x0000000000B6A000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinDPD\is-2R1PQ.tmp
| MD5 | 02b71d7f1eff7aa74b19969b4d2741b9 |
| SHA1 | 8d625c3932b12859268149fa936ee6f607d03a65 |
| SHA256 | 1774899128785abd6015c995316ea2adf26caaaf51825c290b1caf39ad91f5a7 |
| SHA512 | 9092fec5f21f83bf4973d001662e73547c1b4b1cec0a1e55242ddfdca62706b885bb22f0d02b287c9e09641fbe6812cabfe16aa6d881705648cc847856522257 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-7A696.tmp
| MD5 | 812452fb7d6044657f21868f8b046ec8 |
| SHA1 | 2a3d0cfa5ef48c687ed42c101c3466b8104379bf |
| SHA256 | 3a0fcc3de6f38f43bc68c3f7733470c5ae0ba7e44231f381a555c26f72cded2d |
| SHA512 | ff72c6f6e830a34bcb84f44030568b709b422868d93a7ad0c12a2da1d7e1fdee6e048e23b90d87a0d98383d3964ab71d28db98f58ad381c93c06682ae1b4ec36 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-CHTVA.tmp
| MD5 | bf9dd864f5822dc28ffce9529bae15ba |
| SHA1 | ee578ba78ddaf0547edd23355dbc658cdc1b86ab |
| SHA256 | 74328f7f2d08cfc734cc5151bc68377962d1e0a75137908925a604b3d18b7be6 |
| SHA512 | ea00797c9e7117452e3a7f94db016e22dad0246c439daaae304ecfb5c5de19d2db0c63ce1edd135a409f07ba75b19bd6428a7ab6d80a9dc65ff473ff985ef43e |
C:\Users\Admin\AppData\Roaming\WinDPD\is-CKBK0.tmp
| MD5 | 26e28c01461f7e65c402bdf09923d435 |
| SHA1 | 1d9b5cfcc30436112a7e31d5e4624f52e845c573 |
| SHA256 | d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368 |
| SHA512 | c30ec66fecb0a41e91a31804be3a8b6047fc3789306adc106c723b3e5b166127766670c7da38d77d3694d99a8cddb26bc266ee21dba60a148cdf4d6ee10d27d7 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-FM2S7.tmp
| MD5 | 7aa3e993ffef3a554ebab6532eac4075 |
| SHA1 | 92b541293c63a4fb343327a1cc7708f96e7eec74 |
| SHA256 | aaf5bd6cdf7eae9d3ed153033917b3aed750d48ab11222569246db162d94b72e |
| SHA512 | 97d91945d2f90594505ce67e2ce6f9bf4cfabe7ec5a0461ac5bf82c8bd1094308c99a02d4cc25276dc9701c8109afe1f69726964f2e06dce98f005f0e8f5ec49 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-BAGF4.tmp
| MD5 | 88b1dab8f4fd1ae879685995c90bd902 |
| SHA1 | 3d23fb4036dc17fa4bee27e3e2a56ff49beed59d |
| SHA256 | 60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92 |
| SHA512 | 4ea2c20991189fe1d6d5c700603c038406303cca594577ddcbc16ab9a7915cb4d4aa9e53093747db164f068a7ba0f568424bc8cb7682f1a3fb17e4c9ec01f047 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-BVEC2.tmp
| MD5 | ac5d5cc9acad4531ef1bd16145ea68bd |
| SHA1 | f9d92f79a934815b645591ebbd6f5d20aa6a3e38 |
| SHA256 | 68c787616681427557343e42ede5805dfbeeb580c59f69c4706b500f225e2c6b |
| SHA512 | 196863e039e9c83fb0f8eb3f0a6119db31a624e7ef4e9ba99516702e76796957f0ebf87e8728e1bd0de6cd7420bec6e644caa58a0724a7208e9a765d6eb78f64 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-24870.tmp
| MD5 | 3be27483fdcdbf9ebae93234785235e3 |
| SHA1 | 360b61fe19cdc1afb2b34d8c25d8b88a4c843a82 |
| SHA256 | 4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b |
| SHA512 | edbe8cf1cbc5fed80fedf963ade44e08052b19c064e8bca66fa0fe1b332141fbe175b8b727f8f56978d1584baaf27d331947c0b3593aaff5632756199dc470e5 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-1R710.tmp
| MD5 | 191bd0cc859e47aaa7c5195f58f56d4e |
| SHA1 | c2d91b7688ab3d4fbc08dc8df895323ca2c47460 |
| SHA256 | 3d30caf999bbd1c39b681f4782c2f703c02b9956c4a77d7d531e20ca02ffaa29 |
| SHA512 | 9c876afdc1b3cab2c01d1d369d6c532edc4377876ed95f324e0e638860852d41052796a16f7314ef922bb7ff6edb9f3687f6edfb342b6524951906340c614b08 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-Q3T37.tmp
| MD5 | 018b7364f4de19d99c37665eb8555fc5 |
| SHA1 | 661d32b263131f27c890a3a17e3a7f58b0035f93 |
| SHA256 | fb68bf34ae44c30267e5034d65e7d917033631f8290a17de264de5189f1c9e71 |
| SHA512 | 82eb86e58894d3beed9f7efefdd9f8ece4d4d1af7d95e8751054eac18ff8eb08e6bfdd0ccf132f666b2bdd47669fdc4b1fcf4c172a4cf3f25b0464e6943489f8 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-K4VFH.tmp
| MD5 | 21e49d937a929db0ff9c265e8b2b6777 |
| SHA1 | 88000b29bb69b3e8a29f30f0274de3e71a8b7ef7 |
| SHA256 | 9b760f2aa4576d044bcd33e21943a8cbccd9c56d17d598fa509213e05f9939c1 |
| SHA512 | 165664b4d3b6aa2c481665a9aed572a7445cd32052066faf7bf05340820d8afc3cf4660a344d2a06e6f3bcabbfa7923eb61c39b7367735ede0f5154f9696d1bf |
C:\Users\Admin\AppData\Roaming\WinDPD\is-2VNJB.tmp
| MD5 | 1239f15c699caece7ae3b5d2d5cbe312 |
| SHA1 | 3655b2fb3b1f94f2ca670c397d2b1d3b3f44c47e |
| SHA256 | 545e90e66968c26722b23a4cd67d1039027b60fc33a33d669a6de73dd5e6a0af |
| SHA512 | ad0b98ce5633f8d42ead9719420481e9cb0ea0ee6bd38f660261e180425befd4bd7e7acace466c1e15e277b4d48274d0b480a92709529ae901f50e1a77a2f236 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-2UL5J.tmp
| MD5 | 08b0d2ee1c48e37aa2560cb5c1a327e0 |
| SHA1 | ea22db9932ba94b3775d3f3c5b07d451ab6105b1 |
| SHA256 | a199c6653726ba9e0cb9178af9691926c08667d451a3154b5966b2f22c24a64e |
| SHA512 | 785cb3a9ef2cce6afcc86f4d5205c14114040e89c4a9d6091dd9135be69fb62f58c1a0dc0657361c3c5bb3b1d94bf7a019c37fe20c2e53cf7814952fd43d9a67 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-RPU0E.tmp
| MD5 | 0e486de290c0948cc69b74c1e1a8a8a0 |
| SHA1 | 7cb150504196a8cb028f4ec23566cc0760fc72aa |
| SHA256 | 83db250a9a3ea0600dcdd18626b1069701731b99d39207822be8ccd72d311ef5 |
| SHA512 | e175d67da17523177deda8c4e77f213487956bf1783e3a2b576a6918572702343fbec7717711545410e4459aea2bd9a4a455365bba8a0d7afc07a0e47c35a250 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-7U9T6.tmp
| MD5 | 4ae68042d513cba160cdaafe45d35582 |
| SHA1 | 9a07ebd26fab57947b20647ac6ca0019475ffb44 |
| SHA256 | cc2b02ac7ed7656e4d26574367c571dfc44d3f167838f0ee868cdb8b493b3ff4 |
| SHA512 | b78f80697ba16c33ba9ede2d2019ceb6173c8a2d335d6990b75613c1af21669f25ea8f2d0e3c56af08578d038cf3b66ca4e55ca252ad699a805598993a3d5be8 |
memory/2628-142-0x0000000006520000-0x0000000006CF8000-memory.dmp
memory/2900-165-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/1860-170-0x00000000010C0000-0x00000000010C8000-memory.dmp
memory/2024-159-0x0000000000400000-0x00000000006EE000-memory.dmp
memory/2628-175-0x0000000000300000-0x0000000000350000-memory.dmp
memory/2628-176-0x0000000000470000-0x00000000004E0000-memory.dmp
memory/2628-178-0x00000000004E0000-0x00000000004EA000-memory.dmp
memory/2628-177-0x00000000004E0000-0x00000000004EA000-memory.dmp
memory/2628-180-0x00000000006E0000-0x000000000071C000-memory.dmp
memory/2628-181-0x00000000004E0000-0x00000000004EA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-13 05:49
Reported
2024-10-13 05:52
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
148s
Command Line
Signatures
NetSupport
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Plib.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PlotManage.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0L7LU.tmp\Plib.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\WCL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Plib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PlotManage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-0L7LU.tmp\Plib.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0L7LU.tmp\Plib.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0L7LU.tmp\Plib.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PlotManage.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0L7LU.tmp\Plib.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Plib.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Plib.exe" /VERYSILENT /SP-
C:\Users\Admin\AppData\Local\Temp\PlotManage.exe
"C:\Users\Admin\AppData\Local\Temp\PlotManage.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 &Del "3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\is-0L7LU.tmp\Plib.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0L7LU.tmp\Plib.tmp" /SL5="$B0052,2331902,780800,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Plib.exe" /VERYSILENT /SP-
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 1
C:\Users\Admin\AppData\Roaming\WinSpo\WCL.exe
"C:\Users\Admin\AppData\Roaming\WinSpo\WCL.exe"
C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe
"C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 65.21.198.183:9183 | tcp | |
| US | 8.8.8.8:53 | www.123xch.com | udp |
| US | 8.8.8.8:53 | donutduck.duckdns.org | udp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| NL | 82.115.223.32:1337 | donutduck.duckdns.org | tcp |
| US | 104.26.0.231:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | 231.0.26.104.in-addr.arpa | udp |
| US | 104.26.0.231:80 | geo.netsupportsoftware.com | tcp |
| US | 104.26.0.231:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | coinduck.duckdns.org | udp |
| RU | 83.217.208.141:1337 | coinduck.duckdns.org | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | donutduck.duckdns.org | udp |
| NL | 82.115.223.32:1337 | donutduck.duckdns.org | tcp |
| US | 8.8.8.8:53 | coinduck.duckdns.org | udp |
| RU | 83.217.208.141:1337 | coinduck.duckdns.org | tcp |
Files
memory/4960-1-0x0000020FD6FB0000-0x0000020FD7554000-memory.dmp
memory/4960-0-0x00007FFEBC773000-0x00007FFEBC775000-memory.dmp
memory/4960-2-0x00007FFEBC770000-0x00007FFEBD231000-memory.dmp
memory/4960-3-0x00007FFEBC770000-0x00007FFEBD231000-memory.dmp
memory/4960-4-0x0000020FF1A80000-0x0000020FF20BC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Plib.exe
| MD5 | 725506d889dc290b57abee789f86d09e |
| SHA1 | 6239c0862a57a4a1859099a1fc6e70c52f3ee80e |
| SHA256 | b61c57ff173e99dc83c2b4c300072d2b98f86271202ec05f5c94fbf218839507 |
| SHA512 | 63a9f5a3f2f5d996a729cb0863ecf73aab4da047ef297483809113e367151974f8c27f958cd3ae867a179b2cdd4ecb6e4554fa649a395444d5f6226f5bf0ca4a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\PMGR.exe
| MD5 | 6cf6e85c530e2f6d6e28aa066b19c29b |
| SHA1 | 679cd8304321ab4615793fa24449163fa044fe28 |
| SHA256 | 760dbaef1a097bda49db17342e2bf27c334e3358a515dd53445b55cb01629a31 |
| SHA512 | 08ba349dbba2fc7d0117d3422a66505c166b82b8f3ceff78e7ff1799f6cba1a71a275ea8d7ac9d326cd88528124f5820c7abc3ce01d48828394ad5b9276fbd8b |
memory/4960-32-0x00007FFEBC770000-0x00007FFEBD231000-memory.dmp
memory/224-34-0x0000000074D5E000-0x0000000074D5F000-memory.dmp
memory/1160-33-0x0000000000401000-0x00000000004B7000-memory.dmp
memory/1160-29-0x0000000000400000-0x00000000004CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-0L7LU.tmp\Plib.tmp
| MD5 | 669dc6230c96d8f4e1a831554f655427 |
| SHA1 | 91e57ce09970cba73e638d60ef2faf8bd6aa39ba |
| SHA256 | 35a088a72be2d2aa9c8f2285fbcabb5893582d6bc2dd355b107da081c999db82 |
| SHA512 | 4c6e4033b4287ba8efe3c1843dff0f2498e0ac53ee5993ad51a13879fb32ae65cc146cf25c1c716722c9b6b5affc6a1055939486a5ea2d46f4dfa8809b6489b8 |
memory/224-38-0x0000000000A90000-0x0000000000DCA000-memory.dmp
memory/224-40-0x0000000007AE0000-0x00000000082B8000-memory.dmp
memory/224-41-0x0000000005090000-0x00000000050E0000-memory.dmp
memory/224-72-0x00000000083C0000-0x0000000008430000-memory.dmp
memory/224-73-0x00000000084D0000-0x0000000008562000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinDPD\is-2VS18.tmp
| MD5 | 02b71d7f1eff7aa74b19969b4d2741b9 |
| SHA1 | 8d625c3932b12859268149fa936ee6f607d03a65 |
| SHA256 | 1774899128785abd6015c995316ea2adf26caaaf51825c290b1caf39ad91f5a7 |
| SHA512 | 9092fec5f21f83bf4973d001662e73547c1b4b1cec0a1e55242ddfdca62706b885bb22f0d02b287c9e09641fbe6812cabfe16aa6d881705648cc847856522257 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-003M6.tmp
| MD5 | 812452fb7d6044657f21868f8b046ec8 |
| SHA1 | 2a3d0cfa5ef48c687ed42c101c3466b8104379bf |
| SHA256 | 3a0fcc3de6f38f43bc68c3f7733470c5ae0ba7e44231f381a555c26f72cded2d |
| SHA512 | ff72c6f6e830a34bcb84f44030568b709b422868d93a7ad0c12a2da1d7e1fdee6e048e23b90d87a0d98383d3964ab71d28db98f58ad381c93c06682ae1b4ec36 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-TKC74.tmp
| MD5 | bf9dd864f5822dc28ffce9529bae15ba |
| SHA1 | ee578ba78ddaf0547edd23355dbc658cdc1b86ab |
| SHA256 | 74328f7f2d08cfc734cc5151bc68377962d1e0a75137908925a604b3d18b7be6 |
| SHA512 | ea00797c9e7117452e3a7f94db016e22dad0246c439daaae304ecfb5c5de19d2db0c63ce1edd135a409f07ba75b19bd6428a7ab6d80a9dc65ff473ff985ef43e |
C:\Users\Admin\AppData\Roaming\WinDPD\is-RH891.tmp
| MD5 | 26e28c01461f7e65c402bdf09923d435 |
| SHA1 | 1d9b5cfcc30436112a7e31d5e4624f52e845c573 |
| SHA256 | d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368 |
| SHA512 | c30ec66fecb0a41e91a31804be3a8b6047fc3789306adc106c723b3e5b166127766670c7da38d77d3694d99a8cddb26bc266ee21dba60a148cdf4d6ee10d27d7 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-V9A52.tmp
| MD5 | 7aa3e993ffef3a554ebab6532eac4075 |
| SHA1 | 92b541293c63a4fb343327a1cc7708f96e7eec74 |
| SHA256 | aaf5bd6cdf7eae9d3ed153033917b3aed750d48ab11222569246db162d94b72e |
| SHA512 | 97d91945d2f90594505ce67e2ce6f9bf4cfabe7ec5a0461ac5bf82c8bd1094308c99a02d4cc25276dc9701c8109afe1f69726964f2e06dce98f005f0e8f5ec49 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-EU18T.tmp
| MD5 | 018b7364f4de19d99c37665eb8555fc5 |
| SHA1 | 661d32b263131f27c890a3a17e3a7f58b0035f93 |
| SHA256 | fb68bf34ae44c30267e5034d65e7d917033631f8290a17de264de5189f1c9e71 |
| SHA512 | 82eb86e58894d3beed9f7efefdd9f8ece4d4d1af7d95e8751054eac18ff8eb08e6bfdd0ccf132f666b2bdd47669fdc4b1fcf4c172a4cf3f25b0464e6943489f8 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-I8POJ.tmp
| MD5 | 191bd0cc859e47aaa7c5195f58f56d4e |
| SHA1 | c2d91b7688ab3d4fbc08dc8df895323ca2c47460 |
| SHA256 | 3d30caf999bbd1c39b681f4782c2f703c02b9956c4a77d7d531e20ca02ffaa29 |
| SHA512 | 9c876afdc1b3cab2c01d1d369d6c532edc4377876ed95f324e0e638860852d41052796a16f7314ef922bb7ff6edb9f3687f6edfb342b6524951906340c614b08 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-RH4VJ.tmp
| MD5 | 3be27483fdcdbf9ebae93234785235e3 |
| SHA1 | 360b61fe19cdc1afb2b34d8c25d8b88a4c843a82 |
| SHA256 | 4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b |
| SHA512 | edbe8cf1cbc5fed80fedf963ade44e08052b19c064e8bca66fa0fe1b332141fbe175b8b727f8f56978d1584baaf27d331947c0b3593aaff5632756199dc470e5 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-8R0FR.tmp
| MD5 | ac5d5cc9acad4531ef1bd16145ea68bd |
| SHA1 | f9d92f79a934815b645591ebbd6f5d20aa6a3e38 |
| SHA256 | 68c787616681427557343e42ede5805dfbeeb580c59f69c4706b500f225e2c6b |
| SHA512 | 196863e039e9c83fb0f8eb3f0a6119db31a624e7ef4e9ba99516702e76796957f0ebf87e8728e1bd0de6cd7420bec6e644caa58a0724a7208e9a765d6eb78f64 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-7BH44.tmp
| MD5 | 88b1dab8f4fd1ae879685995c90bd902 |
| SHA1 | 3d23fb4036dc17fa4bee27e3e2a56ff49beed59d |
| SHA256 | 60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92 |
| SHA512 | 4ea2c20991189fe1d6d5c700603c038406303cca594577ddcbc16ab9a7915cb4d4aa9e53093747db164f068a7ba0f568424bc8cb7682f1a3fb17e4c9ec01f047 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-RUCQL.tmp
| MD5 | 21e49d937a929db0ff9c265e8b2b6777 |
| SHA1 | 88000b29bb69b3e8a29f30f0274de3e71a8b7ef7 |
| SHA256 | 9b760f2aa4576d044bcd33e21943a8cbccd9c56d17d598fa509213e05f9939c1 |
| SHA512 | 165664b4d3b6aa2c481665a9aed572a7445cd32052066faf7bf05340820d8afc3cf4660a344d2a06e6f3bcabbfa7923eb61c39b7367735ede0f5154f9696d1bf |
C:\Users\Admin\AppData\Roaming\WinDPD\is-RNCKP.tmp
| MD5 | 1239f15c699caece7ae3b5d2d5cbe312 |
| SHA1 | 3655b2fb3b1f94f2ca670c397d2b1d3b3f44c47e |
| SHA256 | 545e90e66968c26722b23a4cd67d1039027b60fc33a33d669a6de73dd5e6a0af |
| SHA512 | ad0b98ce5633f8d42ead9719420481e9cb0ea0ee6bd38f660261e180425befd4bd7e7acace466c1e15e277b4d48274d0b480a92709529ae901f50e1a77a2f236 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-FC4VD.tmp
| MD5 | 0e486de290c0948cc69b74c1e1a8a8a0 |
| SHA1 | 7cb150504196a8cb028f4ec23566cc0760fc72aa |
| SHA256 | 83db250a9a3ea0600dcdd18626b1069701731b99d39207822be8ccd72d311ef5 |
| SHA512 | e175d67da17523177deda8c4e77f213487956bf1783e3a2b576a6918572702343fbec7717711545410e4459aea2bd9a4a455365bba8a0d7afc07a0e47c35a250 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-BKJ98.tmp
| MD5 | 4ae68042d513cba160cdaafe45d35582 |
| SHA1 | 9a07ebd26fab57947b20647ac6ca0019475ffb44 |
| SHA256 | cc2b02ac7ed7656e4d26574367c571dfc44d3f167838f0ee868cdb8b493b3ff4 |
| SHA512 | b78f80697ba16c33ba9ede2d2019ceb6173c8a2d335d6990b75613c1af21669f25ea8f2d0e3c56af08578d038cf3b66ca4e55ca252ad699a805598993a3d5be8 |
C:\Users\Admin\AppData\Roaming\WinDPD\is-FHHTL.tmp
| MD5 | 08b0d2ee1c48e37aa2560cb5c1a327e0 |
| SHA1 | ea22db9932ba94b3775d3f3c5b07d451ab6105b1 |
| SHA256 | a199c6653726ba9e0cb9178af9691926c08667d451a3154b5966b2f22c24a64e |
| SHA512 | 785cb3a9ef2cce6afcc86f4d5205c14114040e89c4a9d6091dd9135be69fb62f58c1a0dc0657361c3c5bb3b1d94bf7a019c37fe20c2e53cf7814952fd43d9a67 |
memory/224-158-0x0000000008830000-0x00000000088EA000-memory.dmp
memory/224-177-0x0000000009340000-0x00000000098E4000-memory.dmp
memory/224-178-0x0000000008C30000-0x0000000008C6C000-memory.dmp
memory/1160-183-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2224-181-0x00000204B7BD0000-0x00000204B7BD8000-memory.dmp
memory/324-179-0x0000000000400000-0x00000000006EE000-memory.dmp
memory/224-188-0x000000000BFD0000-0x000000000BFD8000-memory.dmp
memory/224-189-0x000000000C430000-0x000000000C468000-memory.dmp
memory/224-190-0x000000000BFE0000-0x000000000BFEE000-memory.dmp
memory/224-191-0x0000000005770000-0x0000000005778000-memory.dmp
memory/224-192-0x0000000074D5E000-0x0000000074D5F000-memory.dmp