Malware Analysis Report

2025-08-10 14:17

Sample ID 241016-e2v4aawhjk
Target 4b63895b56f6474707186fd0ef0635c0_JaffaCakes118
SHA256 050c95bd50fd6ea6882bb718cc06a2b692ce0054416e11184cff93ce9199e5ea
Tags
upx gh0strat bootkit discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

050c95bd50fd6ea6882bb718cc06a2b692ce0054416e11184cff93ce9199e5ea

Threat Level: Known bad

The file 4b63895b56f6474707186fd0ef0635c0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx gh0strat bootkit discovery persistence rat

Gh0strat

Gh0st RAT payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

UPX packed file

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 04:26

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 04:26

Reported

2024-10-16 04:29

Platform

win7-20240903-en

Max time kernel

140s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\yjsoft.ini C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Temp\ÔóÔ󡢿¨ÐÂÊÖ¹¤¾ß.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Temp\ÔóÔ󡢿¨ÐÂÊÖ¹¤¾ß.exe
PID 2100 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Temp\ÔóÔ󡢿¨ÐÂÊÖ¹¤¾ß.exe
PID 2100 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Temp\ÔóÔ󡢿¨ÐÂÊÖ¹¤¾ß.exe
PID 2100 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Temp\ÔóÔ󡢿¨ÐÂÊÖ¹¤¾ß.exe
PID 2100 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe
PID 2100 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe
PID 2100 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe
PID 2100 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe
PID 2412 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe C:\Windows\SysWOW64\taskkill.exe
PID 2412 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe C:\Windows\SysWOW64\taskkill.exe
PID 2412 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe C:\Windows\SysWOW64\taskkill.exe
PID 2412 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe C:\Windows\SysWOW64\taskkill.exe
PID 2412 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe C:\Fuck.exe
PID 2412 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe C:\Fuck.exe
PID 2412 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe C:\Fuck.exe
PID 2412 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe C:\Fuck.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Temp\ÔóÔ󡢿¨ÐÂÊÖ¹¤¾ß.exe

"C:\Users\Admin\AppData\Local\Temp\Temp\ÔóÔ󡢿¨ÐÂÊÖ¹¤¾ß.exe"

C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe

"C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im KSafeTray.exe

C:\Fuck.exe

C:\Fuck.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 nijiawei800.3322.org udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 www.baidu.com udp

Files

memory/2100-0-0x0000000000400000-0x000000000041C000-memory.dmp

\Users\Admin\AppData\Local\Temp\Temp\ÔóÔ󡢿¨ÐÂÊÖ¹¤¾ß.exe

MD5 e651c6a94e98111f5debfbf0d35b98e7
SHA1 3d723000b79532ab5775181da476031780dc4ec4
SHA256 37b79b7cc0f8b8920539dffc24287d79b3ed3136d544030758f09e7cfb8cc130
SHA512 a97eec91a16acd5c14b391a94c5def549844a950f368d9247d2004a1b861983121fc4f006b95d5eaa5b2fae24f848eafc7f6d2eeea9f6f70d5a453efef410867

memory/2100-14-0x0000000002D50000-0x0000000002D84000-memory.dmp

\Users\Admin\AppData\Local\Temp\Temp\csrss.exe

MD5 82a36138830009416a8fae774341f054
SHA1 1afeabede25df0c32a57a064d1be3d1bb4454610
SHA256 8192f98c23ba80b1bd52511a6bf43b7a39c1a12f91f5d09756725a01338af714
SHA512 74eed127f776f8fc6ff39508bff4885c4f7994ff03dfbf637f0d225ee644e2a69d5d81aa8d9c6ac9d49664292a4544c55eaded8e7fa0df4e179768c65e1e2f11

memory/2412-23-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2100-20-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1724-30-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-32-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-29-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-27-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-37-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-47-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-56-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-67-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-71-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-75-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-74-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-69-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-65-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-63-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-61-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-59-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-57-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-53-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-51-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-49-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-45-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-43-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-41-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-39-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-35-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1724-33-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2332-83-0x0000000000400000-0x0000000000404000-memory.dmp

C:\Fuck.exe

MD5 9678be6cf85ce3c178bd37f797671766
SHA1 d9aa32c599decca30111060090dc87df39035bd2
SHA256 1e733e7703bd1e9188d9a800d9073ea23118e01d27c82537819ec9aabc874ddf
SHA512 786f95cf450dfc6671d1536b64f020210ef8d68bfe862af2eaa07d88029ff9aff4258afd7311fa9f42b97b62887c8cde9094e6beb00dd38750cd679588e04ef0

memory/2412-81-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2412-80-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2332-85-0x0000000000400000-0x0000000000404000-memory.dmp

\Windows\SysWOW64\yjsoft.ini

MD5 b61f1a8a82b06e98796e8e573522ea3a
SHA1 0e5193ccd21bf9630f98347425bfda4dfc98d8c9
SHA256 999a3a7835c5d41d7ba7374b0519e56f464b40a30d2f5c74babafc6f0f9c319a
SHA512 a5f48f67c0d96f341fcdd5a4af4f12ecd619fd68aa384b22549f8450dcfe7dce481baf928f02a182bd82f57938c5674175dc476934ff5af043332ddeb0909d69

memory/2412-88-0x0000000020000000-0x0000000020027000-memory.dmp

memory/2412-91-0x00000000004E0000-0x00000000004E1000-memory.dmp

memory/1724-93-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2412-94-0x0000000020000000-0x0000000020027000-memory.dmp

memory/2412-101-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2412-103-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2412-102-0x0000000000020000-0x0000000000024000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 04:26

Reported

2024-10-16 04:29

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\yjsoft.ini C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Fuck.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Temp\ÔóÔ󡢿¨ÐÂÊÖ¹¤¾ß.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp\ÔóÔ󡢿¨ÐÂÊÖ¹¤¾ß.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp\ÔóÔ󡢿¨ÐÂÊÖ¹¤¾ß.exe N/A
N/A N/A C:\Fuck.exe N/A
N/A N/A C:\Fuck.exe N/A
N/A N/A C:\Fuck.exe N/A
N/A N/A C:\Fuck.exe N/A
N/A N/A C:\Fuck.exe N/A
N/A N/A C:\Fuck.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4724 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Temp\ÔóÔ󡢿¨ÐÂÊÖ¹¤¾ß.exe
PID 4724 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Temp\ÔóÔ󡢿¨ÐÂÊÖ¹¤¾ß.exe
PID 4724 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Temp\ÔóÔ󡢿¨ÐÂÊÖ¹¤¾ß.exe
PID 4724 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe
PID 4724 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe
PID 4724 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe
PID 3288 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe C:\Windows\SysWOW64\taskkill.exe
PID 3288 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe C:\Windows\SysWOW64\taskkill.exe
PID 3288 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe C:\Windows\SysWOW64\taskkill.exe
PID 3288 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe C:\Fuck.exe
PID 3288 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe C:\Fuck.exe
PID 3288 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe C:\Fuck.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4b63895b56f6474707186fd0ef0635c0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Temp\ÔóÔ󡢿¨ÐÂÊÖ¹¤¾ß.exe

"C:\Users\Admin\AppData\Local\Temp\Temp\ÔóÔ󡢿¨ÐÂÊÖ¹¤¾ß.exe"

C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe

"C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3288 -ip 3288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 220

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im KSafeTray.exe

C:\Fuck.exe

C:\Fuck.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3288 -ip 3288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 924

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/4724-0-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Temp\ÔóÔ󡢿¨ÐÂÊÖ¹¤¾ß.exe

MD5 e651c6a94e98111f5debfbf0d35b98e7
SHA1 3d723000b79532ab5775181da476031780dc4ec4
SHA256 37b79b7cc0f8b8920539dffc24287d79b3ed3136d544030758f09e7cfb8cc130
SHA512 a97eec91a16acd5c14b391a94c5def549844a950f368d9247d2004a1b861983121fc4f006b95d5eaa5b2fae24f848eafc7f6d2eeea9f6f70d5a453efef410867

C:\Users\Admin\AppData\Local\Temp\Temp\csrss.exe

MD5 82a36138830009416a8fae774341f054
SHA1 1afeabede25df0c32a57a064d1be3d1bb4454610
SHA256 8192f98c23ba80b1bd52511a6bf43b7a39c1a12f91f5d09756725a01338af714
SHA512 74eed127f776f8fc6ff39508bff4885c4f7994ff03dfbf637f0d225ee644e2a69d5d81aa8d9c6ac9d49664292a4544c55eaded8e7fa0df4e179768c65e1e2f11

memory/3288-20-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4724-21-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4340-27-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-26-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-25-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-23-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-63-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-69-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-70-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-67-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-65-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-61-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-57-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-55-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-53-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-49-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-45-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-39-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-35-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-33-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-28-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-29-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-59-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-51-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-47-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-43-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-41-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-37-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4340-31-0x0000000010000000-0x000000001003D000-memory.dmp

C:\Fuck.exe

MD5 9678be6cf85ce3c178bd37f797671766
SHA1 d9aa32c599decca30111060090dc87df39035bd2
SHA256 1e733e7703bd1e9188d9a800d9073ea23118e01d27c82537819ec9aabc874ddf
SHA512 786f95cf450dfc6671d1536b64f020210ef8d68bfe862af2eaa07d88029ff9aff4258afd7311fa9f42b97b62887c8cde9094e6beb00dd38750cd679588e04ef0

memory/3860-75-0x0000000000400000-0x0000000000404000-memory.dmp

memory/3860-78-0x0000000000400000-0x0000000000404000-memory.dmp

C:\Windows\SysWOW64\yjsoft.ini

MD5 b61f1a8a82b06e98796e8e573522ea3a
SHA1 0e5193ccd21bf9630f98347425bfda4dfc98d8c9
SHA256 999a3a7835c5d41d7ba7374b0519e56f464b40a30d2f5c74babafc6f0f9c319a
SHA512 a5f48f67c0d96f341fcdd5a4af4f12ecd619fd68aa384b22549f8450dcfe7dce481baf928f02a182bd82f57938c5674175dc476934ff5af043332ddeb0909d69

memory/3288-83-0x0000000020000000-0x0000000020027000-memory.dmp

memory/3288-85-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/3288-88-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3288-89-0x0000000020000000-0x0000000020027000-memory.dmp

memory/4340-90-0x0000000010000000-0x000000001003D000-memory.dmp