Malware Analysis Report

2025-03-15 08:23

Sample ID 241020-1ljwza1hqc
Target 643826b5b9cb0926063e65c74de37c49_JaffaCakes118
SHA256 dbc5ffc9c3cffbc65ab30d684dd6e025f95e89b2fb0f71c2f82f9fe534a0a911
Tags
defense_evasion discovery execution impact persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

dbc5ffc9c3cffbc65ab30d684dd6e025f95e89b2fb0f71c2f82f9fe534a0a911

Threat Level: Likely malicious

The file 643826b5b9cb0926063e65c74de37c49_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery execution impact persistence ransomware

Deletes shadow copies

Drops startup file

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 21:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 21:44

Reported

2024-10-20 21:46

Platform

win7-20241010-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1f46329.exe C:\Windows\syswow64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*1f4632 = "C:\\a1f46329\\a1f46329.exe" C:\Windows\syswow64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\a1f46329 = "C:\\Users\\Admin\\AppData\\Roaming\\a1f46329.exe" C:\Windows\syswow64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*1f46329 = "C:\\Users\\Admin\\AppData\\Roaming\\a1f46329.exe" C:\Windows\syswow64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\a1f4632 = "C:\\a1f46329\\a1f46329.exe" C:\Windows\syswow64\explorer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-addr.es N/A N/A
N/A myexternalip.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\vssadmin.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\syswow64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe N/A
N/A N/A C:\Windows\syswow64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 2104 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 2104 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 2104 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 2104 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 2104 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 2104 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 2104 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 2104 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 2104 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 2104 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 1176 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Windows\syswow64\explorer.exe
PID 1176 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Windows\syswow64\explorer.exe
PID 1176 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Windows\syswow64\explorer.exe
PID 1176 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Windows\syswow64\explorer.exe
PID 2980 wrote to memory of 2836 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 2980 wrote to memory of 2836 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 2980 wrote to memory of 2836 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 2980 wrote to memory of 2836 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 2980 wrote to memory of 2904 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe
PID 2980 wrote to memory of 2904 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe
PID 2980 wrote to memory of 2904 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe
PID 2980 wrote to memory of 2904 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe"

C:\Windows\syswow64\explorer.exe

"C:\Windows\syswow64\explorer.exe"

C:\Windows\syswow64\svchost.exe

-k netsvcs

C:\Windows\syswow64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-addr.es udp
FR 188.165.164.184:80 ip-addr.es tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:80 myexternalip.com tcp
US 8.8.8.8:53 lydiaspath2wellness.com udp
US 185.230.63.171:80 lydiaspath2wellness.com tcp
US 185.230.63.171:443 lydiaspath2wellness.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.lydiaspath2wellness.com udp
US 34.149.87.45:443 www.lydiaspath2wellness.com tcp
US 8.8.8.8:53 notifyd.com udp
NL 18.239.36.60:80 notifyd.com tcp
US 8.8.8.8:53 shannonmariephotographystudio.com udp
US 8.8.8.8:53 teyneg.com udp
ES 82.223.64.103:80 teyneg.com tcp
US 8.8.8.8:53 www.teyneg.com udp
ES 82.223.64.103:443 www.teyneg.com tcp
US 8.8.8.8:53 interrailturkiye.net udp
US 8.8.8.8:53 asianlaw-un.org udp
US 8.8.8.8:53 theazores.ro udp
RO 89.42.218.94:80 theazores.ro tcp
US 8.8.8.8:53 daisylcreations.com udp
US 15.197.148.33:80 daisylcreations.com tcp
US 8.8.8.8:53 nabilmachmouchilawfirm.com udp
US 8.8.8.8:53 lauravecchio.com udp
US 8.8.8.8:53 houseoflevi.org udp
CA 23.227.38.71:80 houseoflevi.org tcp
US 8.8.8.8:53 carpetandfloors.co.uk udp
GB 185.151.30.143:80 carpetandfloors.co.uk tcp
GB 185.151.30.143:443 carpetandfloors.co.uk tcp
GB 185.151.30.143:443 carpetandfloors.co.uk tcp
GB 185.151.30.143:443 carpetandfloors.co.uk tcp
GB 185.151.30.143:443 carpetandfloors.co.uk tcp
US 8.8.8.8:53 jettsettphotography.com udp
US 8.8.8.8:53 afriqinter.com udp
FR 193.37.145.72:80 afriqinter.com tcp
US 8.8.8.8:53 blog.biocos.dbm-agence.net udp
FR 37.187.79.25:80 blog.biocos.dbm-agence.net tcp
US 8.8.8.8:53 knowledgebucket.in udp
US 8.8.8.8:53 julietterose.com udp
CA 23.227.38.65:80 julietterose.com tcp
US 8.8.8.8:53 loccidigital.com.br udp
US 8.8.8.8:53 craft-viet.com.vn udp
VN 202.92.7.54:80 craft-viet.com.vn tcp
US 8.8.8.8:53 charlottesvillehokies.com udp
US 8.8.8.8:53 emssvc.com udp
US 34.174.205.242:80 emssvc.com tcp
US 8.8.8.8:53 shreebalajidecorators.com udp
US 104.21.9.73:80 shreebalajidecorators.com tcp
US 8.8.8.8:53 nblandscapers.com.au udp
AU 103.35.113.80:80 nblandscapers.com.au tcp
AU 103.35.113.80:443 nblandscapers.com.au tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.75:80 r10.o.lencr.org tcp
US 8.8.8.8:53 phulwaribiotech.com udp
US 103.224.212.215:80 phulwaribiotech.com tcp
US 8.8.8.8:53 ww25.phulwaribiotech.com udp
US 199.59.243.227:80 ww25.phulwaribiotech.com tcp
US 8.8.8.8:53 urbanconnection.us udp
US 99.83.138.213:80 urbanconnection.us tcp
US 8.8.8.8:53 greenpowerworksinc.com udp
US 75.2.70.75:80 greenpowerworksinc.com tcp
US 75.2.70.75:443 greenpowerworksinc.com tcp
US 75.2.70.75:443 greenpowerworksinc.com tcp
US 75.2.70.75:443 greenpowerworksinc.com tcp
US 75.2.70.75:443 greenpowerworksinc.com tcp
US 8.8.8.8:53 khalilsafety.com udp
US 8.8.8.8:53 demo1.wineoox.com udp
BE 130.211.111.125:80 demo1.wineoox.com tcp
US 8.8.8.8:53 seopain.com.au udp
CA 15.222.94.206:80 seopain.com.au tcp
FR 188.165.164.184:80 ip-addr.es tcp
US 34.160.111.145:80 myexternalip.com tcp
US 185.230.63.171:80 lydiaspath2wellness.com tcp
US 185.230.63.171:443 lydiaspath2wellness.com tcp
US 34.149.87.45:443 www.lydiaspath2wellness.com tcp
NL 18.239.36.60:80 notifyd.com tcp
ES 82.223.64.103:80 www.teyneg.com tcp
ES 82.223.64.103:443 www.teyneg.com tcp
RO 89.42.218.94:80 theazores.ro tcp
US 15.197.148.33:80 daisylcreations.com tcp
CA 23.227.38.71:80 houseoflevi.org tcp
GB 185.151.30.143:80 carpetandfloors.co.uk tcp
GB 185.151.30.143:443 carpetandfloors.co.uk tcp
GB 185.151.30.143:443 carpetandfloors.co.uk tcp
GB 185.151.30.143:443 carpetandfloors.co.uk tcp
GB 185.151.30.143:443 carpetandfloors.co.uk tcp
FR 193.37.145.72:80 afriqinter.com tcp
FR 37.187.79.25:80 blog.biocos.dbm-agence.net tcp
CA 23.227.38.65:80 julietterose.com tcp
VN 202.92.7.54:80 craft-viet.com.vn tcp
US 34.174.205.242:80 emssvc.com tcp
US 104.21.9.73:80 shreebalajidecorators.com tcp
AU 103.35.113.80:80 nblandscapers.com.au tcp
AU 103.35.113.80:443 tcp

Files

memory/2104-0-0x0000000000310000-0x0000000000314000-memory.dmp

memory/1176-1-0x00000000001B0000-0x00000000002AA000-memory.dmp

memory/1176-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1176-15-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1176-7-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1176-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1176-16-0x0000000000401000-0x0000000000418000-memory.dmp

memory/1176-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1176-6-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2980-17-0x0000000000080000-0x00000000000A5000-memory.dmp

memory/1176-4-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1176-19-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1176-18-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2980-20-0x0000000000080000-0x00000000000A5000-memory.dmp

memory/2836-24-0x00000000000C0000-0x00000000000E5000-memory.dmp

memory/2836-25-0x00000000000C0000-0x00000000000E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4108.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar41F5.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2980-73-0x0000000000080000-0x00000000000A5000-memory.dmp

memory/2836-74-0x00000000000C0000-0x00000000000E5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 21:44

Reported

2024-10-20 21:46

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\80cca096.exe C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\80cca09 = "C:\\80cca096\\80cca096.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*0cca09 = "C:\\80cca096\\80cca096.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\80cca096 = "C:\\Users\\Admin\\AppData\\Roaming\\80cca096.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*0cca096 = "C:\\Users\\Admin\\AppData\\Roaming\\80cca096.exe" C:\Windows\SysWOW64\explorer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-addr.es N/A N/A
N/A ip-addr.es N/A N/A
N/A ip-addr.es N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3884 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 3884 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 3884 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 3884 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 3884 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 3884 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 3884 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 3884 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 3884 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 3884 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe
PID 1056 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 1056 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 1056 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 3012 wrote to memory of 2496 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 3012 wrote to memory of 2496 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 3012 wrote to memory of 2496 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\643826b5b9cb0926063e65c74de37c49_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\syswow64\explorer.exe"

C:\Windows\SysWOW64\svchost.exe

-k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-addr.es udp
FR 188.165.164.184:80 ip-addr.es tcp
FR 188.165.164.184:443 ip-addr.es tcp
US 8.8.8.8:53 julietterose.com udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 184.164.165.188.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
CA 23.227.38.65:80 julietterose.com tcp
US 8.8.8.8:53 asianlaw-un.org udp
US 8.8.8.8:53 afriqinter.com udp
FR 193.37.145.72:80 afriqinter.com tcp
US 8.8.8.8:53 theazores.ro udp
US 8.8.8.8:53 65.38.227.23.in-addr.arpa udp
US 8.8.8.8:53 72.145.37.193.in-addr.arpa udp
RO 89.42.218.94:80 theazores.ro tcp
US 8.8.8.8:53 urbanconnection.us udp
US 13.248.252.114:80 urbanconnection.us tcp
US 8.8.8.8:53 emssvc.com udp
US 34.174.205.242:80 emssvc.com tcp
US 8.8.8.8:53 94.218.42.89.in-addr.arpa udp
US 8.8.8.8:53 114.252.248.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 knowledgebucket.in udp
US 8.8.8.8:53 greenpowerworksinc.com udp
US 75.2.70.75:80 greenpowerworksinc.com tcp
US 75.2.70.75:443 greenpowerworksinc.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 75.70.2.75.in-addr.arpa udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 www.greenpowerworksinc.com udp
IE 52.17.119.105:443 www.greenpowerworksinc.com tcp
US 8.8.8.8:53 jettsettphotography.com udp
US 8.8.8.8:53 nblandscapers.com.au udp
AU 103.35.113.80:80 nblandscapers.com.au tcp
US 8.8.8.8:53 105.119.17.52.in-addr.arpa udp
AU 103.35.113.80:443 nblandscapers.com.au tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 80.113.35.103.in-addr.arpa udp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.82:80 r10.o.lencr.org tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 craft-viet.com.vn udp
VN 202.92.7.54:80 craft-viet.com.vn tcp
US 8.8.8.8:53 blog.biocos.dbm-agence.net udp
FR 37.187.79.25:80 blog.biocos.dbm-agence.net tcp
US 8.8.8.8:53 54.7.92.202.in-addr.arpa udp
US 8.8.8.8:53 khalilsafety.com udp
US 8.8.8.8:53 lauravecchio.com udp
US 8.8.8.8:53 carpetandfloors.co.uk udp
GB 185.151.30.143:80 carpetandfloors.co.uk tcp
GB 185.151.30.143:443 carpetandfloors.co.uk tcp
US 8.8.8.8:53 shannonmariephotographystudio.com udp
US 8.8.8.8:53 phulwaribiotech.com udp
US 8.8.8.8:53 143.30.151.185.in-addr.arpa udp
US 103.224.212.215:80 phulwaribiotech.com tcp
US 8.8.8.8:53 ww25.phulwaribiotech.com udp
US 199.59.243.227:80 ww25.phulwaribiotech.com tcp
US 8.8.8.8:53 interrailturkiye.net udp
US 8.8.8.8:53 daisylcreations.com udp
US 3.33.130.190:80 daisylcreations.com tcp
US 8.8.8.8:53 demo1.wineoox.com udp
BE 130.211.111.125:80 demo1.wineoox.com tcp
US 8.8.8.8:53 215.212.224.103.in-addr.arpa udp
US 8.8.8.8:53 227.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 190.130.33.3.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 seopain.com.au udp
CA 15.222.94.206:80 seopain.com.au tcp
US 8.8.8.8:53 loccidigital.com.br udp
US 8.8.8.8:53 shreebalajidecorators.com udp
US 104.21.9.73:80 shreebalajidecorators.com tcp
US 8.8.8.8:53 206.94.222.15.in-addr.arpa udp
US 8.8.8.8:53 teyneg.com udp
ES 82.223.64.103:80 teyneg.com tcp
US 8.8.8.8:53 www.teyneg.com udp
ES 82.223.64.103:443 www.teyneg.com tcp
US 8.8.8.8:53 73.9.21.104.in-addr.arpa udp
US 8.8.8.8:53 103.64.223.82.in-addr.arpa udp
US 8.8.8.8:53 lydiaspath2wellness.com udp
US 185.230.63.171:80 lydiaspath2wellness.com tcp
US 185.230.63.171:443 lydiaspath2wellness.com tcp
US 8.8.8.8:53 www.lydiaspath2wellness.com udp
US 34.149.87.45:443 www.lydiaspath2wellness.com tcp
US 8.8.8.8:53 houseoflevi.org udp
CA 23.227.38.71:80 houseoflevi.org tcp
US 8.8.8.8:53 nabilmachmouchilawfirm.com udp
US 8.8.8.8:53 171.63.230.185.in-addr.arpa udp
US 8.8.8.8:53 45.87.149.34.in-addr.arpa udp
US 8.8.8.8:53 71.38.227.23.in-addr.arpa udp
US 8.8.8.8:53 notifyd.com udp
NL 18.239.36.26:80 notifyd.com tcp
US 8.8.8.8:53 charlottesvillehokies.com udp
US 8.8.8.8:53 26.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FR 188.165.164.184:80 ip-addr.es tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FR 188.165.164.184:443 ip-addr.es tcp
CA 23.227.38.65:80 julietterose.com tcp
US 8.8.8.8:53 asianlaw-un.org udp
FR 193.37.145.72:80 afriqinter.com tcp
RO 89.42.218.94:80 theazores.ro tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 13.248.252.114:80 urbanconnection.us tcp
US 34.174.205.242:80 emssvc.com tcp
US 8.8.8.8:53 knowledgebucket.in udp
US 75.2.70.75:80 greenpowerworksinc.com tcp
US 75.2.70.75:443 greenpowerworksinc.com tcp
IE 52.17.119.105:443 www.greenpowerworksinc.com tcp
US 8.8.8.8:53 jettsettphotography.com udp
AU 103.35.113.80:80 nblandscapers.com.au tcp
AU 103.35.113.80:443 nblandscapers.com.au tcp
VN 202.92.7.54:80 craft-viet.com.vn tcp
FR 37.187.79.25:80 blog.biocos.dbm-agence.net tcp

Files

memory/3884-0-0x0000000002280000-0x0000000002284000-memory.dmp

memory/1056-1-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1056-4-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3012-2-0x0000000000180000-0x00000000001A5000-memory.dmp

memory/3012-6-0x0000000000180000-0x00000000001A5000-memory.dmp

memory/1056-3-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2496-9-0x0000000000F50000-0x0000000000F75000-memory.dmp

memory/2496-11-0x0000000000F50000-0x0000000000F75000-memory.dmp

memory/2496-15-0x0000000000F50000-0x0000000000F75000-memory.dmp