Malware Analysis Report

2025-01-22 19:57

Sample ID 241016-vq136avfkj
Target 4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118
SHA256 c4c3b4c861caf87da98a17fe58415ccd12d1a32260f34e47b3111a6cd21f7fe1
Tags
discovery persistence ransomware spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

c4c3b4c861caf87da98a17fe58415ccd12d1a32260f34e47b3111a6cd21f7fe1

Threat Level: Likely malicious

The file 4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware spyware stealer

Renames multiple (215) files with added filename extension

Drops file in Drivers directory

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Enumerates connected drives

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 17:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 17:12

Reported

2024-10-16 17:14

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 36

Network

N/A

Files

memory/1560-0-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1560-1-0x0000000000400000-0x000000000044B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 17:12

Reported

2024-10-16 17:14

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe"

Signatures

Renames multiple (215) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Logo1_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" C:\Windows\Logo1_.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\klist.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\rmid.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\crashreporter.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeComRegisterShellARM64.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstack.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\ktab.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\wab.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\uninstall\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\RichDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\uninstall\rundl132.exe C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5040 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 5040 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 5040 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 5040 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 5040 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1408 wrote to memory of 2288 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1408 wrote to memory of 2288 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1408 wrote to memory of 2288 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5040 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 5040 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 5040 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 3396 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe
PID 3396 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe
PID 3396 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe
PID 4004 wrote to memory of 2628 N/A C:\Windows\Logo1_.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4004 wrote to memory of 2628 N/A C:\Windows\Logo1_.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4004 wrote to memory of 1464 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4004 wrote to memory of 1464 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4004 wrote to memory of 1464 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1464 wrote to memory of 796 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1464 wrote to memory of 796 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1464 wrote to memory of 796 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4004 wrote to memory of 4684 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4004 wrote to memory of 4684 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4004 wrote to memory of 4684 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4684 wrote to memory of 1608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4684 wrote to memory of 1608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4684 wrote to memory of 1608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4004 wrote to memory of 2764 N/A C:\Windows\Logo1_.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4004 wrote to memory of 2764 N/A C:\Windows\Logo1_.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB45C.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/5040-0-0x0000000000400000-0x000000000044B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b5soet.dll

MD5 1e9bfb0d105dc2e2afaa14741bd4c692
SHA1 1eaaf954683b6c796226226ebdc84d91d6650499
SHA256 035ca07795b691cc920358767f1eae2921756ba75739637e3f9411866c0db19f
SHA512 3c1f5a5330d4cf16d99cf1956871d5eb017d5951e79404d9dde1f9740935280305eb5cb1f2fa4c02da7d6f2a8c040daf49cc2da7a34f7a484ba83b01b7d72073

memory/5040-5-0x0000000010000000-0x0000000010016000-memory.dmp

memory/5040-6-0x0000000000540000-0x0000000000560000-memory.dmp

memory/5040-9-0x0000000000520000-0x0000000000540000-memory.dmp

C:\Windows\Logo1_.exe

MD5 3eb732a76eaab2e56b1ac4d2ef756bfc
SHA1 6308814ebc92dac58e3b90e6bfdd3f15ff8f4c1c
SHA256 9ab09633bd1cc801dae739ec4220964838c2f1e83f6443af2acc7be6bd3b6d4d
SHA512 520c2b3f21f153fa5ad9f776bd96466e2816e94b18633a827bc6b80f2a0293d6264b75fffa52cd5f748c3ce84b89136ace3d68b2c2096242782471e12bf3fdc4

memory/4004-19-0x0000000000400000-0x000000000044B000-memory.dmp

memory/5040-20-0x0000000000400000-0x000000000044B000-memory.dmp

memory/5040-21-0x0000000010000000-0x0000000010016000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4e0b373a268e744d171ec51b84edb2a7_JaffaCakes118.exe.exe

MD5 eaa0aa6d309d31632f08ccfa42043730
SHA1 409e6aeb82ae337475994fe76c46b1e69014d39c
SHA256 71bff7ce0006bc845e4eb1680fad9687127722f17d15044d8bdf59b693d21c04
SHA512 2fab691a2cee34936dabd14130baab5825ba5d1607d2283cd5940a5d6a22c38d4a7f7daf48f959f2403a922766b94a7e5005b82613e709504b0ed8c43b55c43a

C:\Users\Admin\AppData\Local\Temp\$$aB45C.bat

MD5 03077626f4b11f9462efb3f89fd30ce3
SHA1 42f8be25f6e8ef1bacbe3545188d30f79a5214f0
SHA256 0ce2d7c95413ce39b879d3566949b5380426f5edc690720caf9a17109a3b1c62
SHA512 78ba875a6853398f135adcd19ab788b90dab53a5bec6bd8d8a6a82b070cfe3a7629f413031d278471513f9f583ecc19ebe9b30fa233984bbf42870983d7c72f9

C:\Windows\system32\drivers\etc\hosts

MD5 6f4adf207ef402d9ef40c6aa52ffd245
SHA1 4b05b495619c643f02e278dede8f5b1392555a57
SHA256 d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512 a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

memory/4004-36-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4004-37-0x0000000010000000-0x0000000010016000-memory.dmp

C:\Program Files\7-Zip\7z.exe.Exe

MD5 c0a3ecbc219d7d8f904ce8a3938c0c92
SHA1 18fa91bd3ba3ae5ce9b1fecc4077474a32a13859
SHA256 b16c02cea54dc4f06597b7371486fcd5e39d7b7b08654c2bfc763a17886b90d7
SHA512 90e50fdb1285a44ba91db2f4e8722998dcbcf014bcb15bd280dbd9f39d5a344fcb6b4731ac0a59a084be07349557c76fb2510dd37fec51b2378aca8cd457f9ee