Malware Analysis Report

2025-03-15 08:28

Sample ID 241020-vy84qszgqe
Target 636f143f22e6d1021d92663a3fc34af7_JaffaCakes118
SHA256 e345508bbb1c1c3e2ca99b6066c1d5235ca7d54a697578a01bb5e88e53233829
Tags
discovery persistence ransomware spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

e345508bbb1c1c3e2ca99b6066c1d5235ca7d54a697578a01bb5e88e53233829

Threat Level: Likely malicious

The file 636f143f22e6d1021d92663a3fc34af7_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware spyware stealer

Renames multiple (215) files with added filename extension

Drops file in Drivers directory

Reads user/profile data of web browsers

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 17:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 17:25

Reported

2024-10-20 17:27

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 36

Network

N/A

Files

memory/1732-0-0x0000000000400000-0x000000000043F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 17:25

Reported

2024-10-20 17:27

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

142s

Command Line

C:\Windows\Explorer.EXE

Signatures

Renames multiple (215) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Logo1_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" C:\Windows\Logo1_.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\orbd.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\klist.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\policytool.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85500\java.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmlaunch.exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\uninstall\rundl132.exe C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\uninstall\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\RichDll.dll C:\Windows\Logo1_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 620 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 620 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 620 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 336 wrote to memory of 4520 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 336 wrote to memory of 4520 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 336 wrote to memory of 4520 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 620 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 620 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 620 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 3920 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe
PID 3920 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe
PID 3920 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe
PID 4728 wrote to memory of 2232 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4728 wrote to memory of 2232 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4728 wrote to memory of 2232 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2232 wrote to memory of 2372 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2232 wrote to memory of 2372 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2232 wrote to memory of 2372 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4728 wrote to memory of 3364 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4728 wrote to memory of 3364 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4728 wrote to memory of 3364 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3364 wrote to memory of 740 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3364 wrote to memory of 740 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3364 wrote to memory of 740 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4728 wrote to memory of 3440 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4728 wrote to memory of 3440 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBFE5.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/620-0-0x0000000000400000-0x000000000043F000-memory.dmp

memory/620-1-0x0000000000440000-0x0000000000460000-memory.dmp

C:\Windows\Logo1_.exe

MD5 4d425eabd3515b50bb5f4f04ebd4c856
SHA1 7c4d4e61452d314a9e9849a2919fb134e04a4c89
SHA256 ed3bd1202f997125b325ab65b411af41e73e2f57ac16117f1b1ab5a28adc1635
SHA512 b75e8d10e275fed44e3b916548337231f3908aed4bde31fd7482192c0a3c7fba2a2b4a72e03ac8afb285e848a930d0e91cb2ac6f045b563807b1fd02b06bcba1

memory/620-12-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4728-10-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aBFE5.bat

MD5 d516658d4fbb8797093797a5331f8c95
SHA1 c742ad18523ed546e08bb504cb2f06f386350026
SHA256 67d8a2b88fa276c1e087054e55766d85f237a7fd3d535d5ff2ceccc45701ae04
SHA512 9509a4be6687828136017e1488863997b40a8f452ab2335d7b24f816d4ca4770992754a72c0dc632de60111d7e60a3e74118e9256ebc7b702a6e8f0d354e093a

C:\Users\Admin\AppData\Local\Temp\636f143f22e6d1021d92663a3fc34af7_JaffaCakes118.exe.exe

MD5 62cdbe7f9b7df91e916fb8d447ddac60
SHA1 6bad6d4c905ce13728442f9d14f4bf712b3e2dc9
SHA256 36b4187c07b0844ff058443a039d88f465c500eb8a1453bcb9d28165722fa3ea
SHA512 6cf775d188e684cc5551df1315712ad2fa2d91977e2beedb32c128efc1e324bc76e648fadf16738e5610f06155b790029752a098f48e16be3937e00cea37ac6b

memory/1748-16-0x0000000000400000-0x000000000047E000-memory.dmp

memory/4728-18-0x0000000000440000-0x0000000000480000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 6f4adf207ef402d9ef40c6aa52ffd245
SHA1 4b05b495619c643f02e278dede8f5b1392555a57
SHA256 d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512 a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

memory/4728-22-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4728-23-0x0000000000440000-0x0000000000480000-memory.dmp

C:\Program Files\7-Zip\7z.exe.Exe

MD5 f472d2b861f338523379919363e2d99b
SHA1 b2f18132eb94f4a0d0ebbc51a8162172df23bcc6
SHA256 8acf4c2001b1f10a8779a0c7b7a03b4e3c88ee9bfdb85eccde1b79dcf31fcb8f
SHA512 1e7f6bee7405049dcf0d5048a65f6645c5681b8be532287fabfb2482cb3abd4edd17fbb0e1b3de70bc2739df7079e14c7069e401f7fc3cded95f6b2c249210a6