Analysis Overview
SHA256
0844b1e0adbf80cc1e36a7be4fbba1eff2aa1ac111d165e6396872dbebc1cc45
Threat Level: Known bad
The file 76213d3b0809a3cca7a5d4780be8d4cb_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ramnit family
Modifies WinLogon for persistence
Ramnit
UAC bypass
Drops startup file
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Impair Defenses: Safe Mode Boot
Checks BIOS information in registry
Adds Run key to start application
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:56
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:56
Reported
2024-10-27 21:58
Platform
win7-20241023-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\mjmhdkvy\\upetnkfp.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
Ramnit
Ramnit family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\upetnkfp.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\upetnkfp.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mucosmhvxehmncpr.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76213d3b0809a3cca7a5d4780be8d4cb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76213d3b0809a3cca7a5d4780be8d4cb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76213d3b0809a3cca7a5d4780be8d4cb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76213d3b0809a3cca7a5d4780be8d4cb_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpeTnkfp = "C:\\Users\\Admin\\AppData\\Local\\mjmhdkvy\\upetnkfp.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mucosmhvxehmncpr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\76213d3b0809a3cca7a5d4780be8d4cb_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\76213d3b0809a3cca7a5d4780be8d4cb_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\76213d3b0809a3cca7a5d4780be8d4cb_JaffaCakes118.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mucosmhvxehmncpr.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mucosmhvxehmncpr.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\76213d3b0809a3cca7a5d4780be8d4cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76213d3b0809a3cca7a5d4780be8d4cb_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Users\Admin\AppData\Local\Temp\mucosmhvxehmncpr.exe
"C:\Users\Admin\AppData\Local\Temp\mucosmhvxehmncpr.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | severug.com | udp |
| US | 3.18.7.81:443 | severug.com | tcp |
| US | 3.18.7.81:443 | severug.com | tcp |
| US | 8.8.8.8:53 | xxjrbdguytaii.com | udp |
| US | 8.8.8.8:53 | otwxvbycbupklrrgp.com | udp |
| US | 8.8.8.8:53 | gndlrhqupiy.com | udp |
| US | 8.8.8.8:53 | yiyvlxoswmtwckxn.com | udp |
| US | 8.8.8.8:53 | dafxxtinf.com | udp |
| US | 8.8.8.8:53 | gxuppbuconvlmdr.com | udp |
| US | 8.8.8.8:53 | wdckefhr.com | udp |
| US | 8.8.8.8:53 | ahcqoemxnlyslypato.com | udp |
| US | 8.8.8.8:53 | xvpymvjersquxhjvy.com | udp |
| US | 8.8.8.8:53 | uxbkxoasercwg.com | udp |
| DE | 46.165.221.136:443 | ahcqoemxnlyslypato.com | tcp |
| DE | 46.165.221.136:443 | ahcqoemxnlyslypato.com | tcp |
| NL | 85.17.31.122:443 | dafxxtinf.com | tcp |
| DE | 195.201.179.207:443 | otwxvbycbupklrrgp.com | tcp |
| US | 8.8.8.8:53 | mcmotkvasbspwcoxj.com | udp |
| US | 8.8.8.8:53 | iroedapg.com | udp |
| US | 8.8.8.8:53 | gwmcrygcro.com | udp |
| US | 8.8.8.8:53 | dtkhkcgouppjrh.com | udp |
| US | 8.8.8.8:53 | jocjrnyd.com | udp |
| US | 8.8.8.8:53 | xfdmffxsvgsul.com | udp |
| US | 8.8.8.8:53 | iyuryhnafwicgn.com | udp |
| US | 8.8.8.8:53 | yikjiownjpbbi.com | udp |
| US | 8.8.8.8:53 | pmbapjjfyliyvrw.com | udp |
| US | 8.8.8.8:53 | xvbsjbxqthbftwweva.com | udp |
| US | 8.8.8.8:53 | dbbxxubvuyyyswj.com | udp |
| US | 8.8.8.8:53 | jjoilpdtl.com | udp |
| US | 8.8.8.8:53 | adppxsfil.com | udp |
| US | 8.8.8.8:53 | fvkgqqoesylbx.com | udp |
| US | 8.8.8.8:53 | exedmfwtd.com | udp |
| US | 8.8.8.8:53 | dtpjixtvjdf.com | udp |
| US | 8.8.8.8:53 | buhlubjyuscnoxmcvgn.com | udp |
| US | 8.8.8.8:53 | mvxusiif.com | udp |
| US | 8.8.8.8:53 | sltjbbjssitdrh.com | udp |
| US | 8.8.8.8:53 | iphsdnxkwqpduviwv.com | udp |
| US | 8.8.8.8:53 | neqjmlxaglag.com | udp |
| US | 8.8.8.8:53 | nfslgqyoyrcfgp.com | udp |
| US | 8.8.8.8:53 | prkbfirvqbivvr.com | udp |
| US | 8.8.8.8:53 | xergvwdllrtsvghlgb.com | udp |
| US | 8.8.8.8:53 | kxshkdlcaroenrpuuut.com | udp |
| US | 8.8.8.8:53 | jaymkkxs.com | udp |
| US | 8.8.8.8:53 | nnibhqwcd.com | udp |
| US | 8.8.8.8:53 | pektamjloucjoadqlr.com | udp |
| US | 8.8.8.8:53 | wqytmifkrqv.com | udp |
| US | 8.8.8.8:53 | nsuiudrghjnfpn.com | udp |
| US | 8.8.8.8:53 | tnvfwlmespnj.com | udp |
| US | 8.8.8.8:53 | ltwhajiyacd.com | udp |
| US | 8.8.8.8:53 | dmumqdyh.com | udp |
| US | 8.8.8.8:53 | blacmeiptyy.com | udp |
| US | 8.8.8.8:53 | tcmmtirvgwvw.com | udp |
| US | 8.8.8.8:53 | iliotasgkosov.com | udp |
| US | 8.8.8.8:53 | methlfppvisidsl.com | udp |
| US | 8.8.8.8:53 | oipepputyxwmxj.com | udp |
| US | 8.8.8.8:53 | irfwscup.com | udp |
| US | 8.8.8.8:53 | nivjttdlkg.com | udp |
| US | 8.8.8.8:53 | mspltmvl.com | udp |
| US | 8.8.8.8:53 | yxjyodnumnajgacxj.com | udp |
| US | 8.8.8.8:53 | hrgqrivhcjue.com | udp |
| US | 8.8.8.8:53 | sixytodxegqwqouff.com | udp |
| US | 8.8.8.8:53 | qmuftcyfpefumcb.com | udp |
| US | 8.8.8.8:53 | jsqtvittxanrdib.com | udp |
| US | 8.8.8.8:53 | oeoonsgfscn.com | udp |
| US | 8.8.8.8:53 | qwitdckixifejgmpr.com | udp |
| US | 8.8.8.8:53 | vpruvlpryl.com | udp |
| US | 8.8.8.8:53 | uxeqtbmmtlryj.com | udp |
| US | 8.8.8.8:53 | rbavviguoosurxawptn.com | udp |
| US | 8.8.8.8:53 | oigkmlqhhbiwqshtkb.com | udp |
| US | 8.8.8.8:53 | chdpwcimfqdejegyc.com | udp |
| US | 8.8.8.8:53 | pkqrtwuvkg.com | udp |
| US | 8.8.8.8:53 | xhlsuggy.com | udp |
| US | 8.8.8.8:53 | cmffphdxfhbikjscd.com | udp |
| US | 8.8.8.8:53 | klljutqsdgksbueqkv.com | udp |
| US | 8.8.8.8:53 | deveymmxwrhhh.com | udp |
| US | 8.8.8.8:53 | wnxdypgrcfnnisfhm.com | udp |
| US | 8.8.8.8:53 | pvbsgprotlkq.com | udp |
| US | 8.8.8.8:53 | ubnenubrmli.com | udp |
| US | 8.8.8.8:53 | cmenjlhrtnwlx.com | udp |
| US | 8.8.8.8:53 | nedhetqyug.com | udp |
| US | 8.8.8.8:53 | lxtyrajnawbtjktcqp.com | udp |
| US | 8.8.8.8:53 | dwlgntkbia.com | udp |
| US | 8.8.8.8:53 | dyibcchtjr.com | udp |
| US | 8.8.8.8:53 | uqbborluxkmuggow.com | udp |
| US | 8.8.8.8:53 | lamcqhcdrmebavij.com | udp |
| US | 8.8.8.8:53 | yxlngywtjqcjskudngs.com | udp |
| US | 8.8.8.8:53 | gvwesfebdhv.com | udp |
| US | 8.8.8.8:53 | cwudfstkxdckalb.com | udp |
| US | 8.8.8.8:53 | lwxlxeslaxsm.com | udp |
| US | 8.8.8.8:53 | murojdih.com | udp |
| US | 8.8.8.8:53 | ajjbjmxwwfqdxvnwev.com | udp |
| US | 8.8.8.8:53 | rmdcdmoioq.com | udp |
| US | 8.8.8.8:53 | wycrvwsjue.com | udp |
| US | 8.8.8.8:53 | gsyvxuvnp.com | udp |
| US | 8.8.8.8:53 | nubwxmscbdfkks.com | udp |
| US | 8.8.8.8:53 | xnoosevgfvmkjmcwdx.com | udp |
| US | 8.8.8.8:53 | maecibqfqisk.com | udp |
| US | 8.8.8.8:53 | rucfrkln.com | udp |
| US | 8.8.8.8:53 | mmobykwrs.com | udp |
| US | 8.8.8.8:53 | foqwxiukdsoih.com | udp |
| US | 8.8.8.8:53 | dodwxaaby.com | udp |
| US | 8.8.8.8:53 | tcfvrmjfyuvommwqtu.com | udp |
| US | 8.8.8.8:53 | bomvniqv.com | udp |
| US | 8.8.8.8:53 | iyeiainxagildunawu.com | udp |
| US | 8.8.8.8:53 | kmenfyomeclsqiom.com | udp |
| US | 8.8.8.8:53 | nicmqyfdijmgsd.com | udp |
| US | 8.8.8.8:53 | jxmiujhupeijxpfusmv.com | udp |
| US | 8.8.8.8:53 | fuoiokhlpkwraxsuh.com | udp |
| US | 8.8.8.8:53 | gyixefgej.com | udp |
| US | 8.8.8.8:53 | hfljlkufulv.com | udp |
| US | 8.8.8.8:53 | ghwkuchvnqgk.com | udp |
| US | 8.8.8.8:53 | qafappvkxukfgtpb.com | udp |
| US | 8.8.8.8:53 | kcoxthpnfemmd.com | udp |
| US | 8.8.8.8:53 | xtpawvrk.com | udp |
| US | 8.8.8.8:53 | twepjisccnf.com | udp |
| US | 8.8.8.8:53 | xsvyxluhetidkvmxjb.com | udp |
| US | 8.8.8.8:53 | rhawrjbmabkmnua.com | udp |
| US | 8.8.8.8:53 | gtkrhwcaieo.com | udp |
| US | 8.8.8.8:53 | hgtuxaug.com | udp |
| US | 8.8.8.8:53 | dgmsjosbialyworlu.com | udp |
| US | 8.8.8.8:53 | psxtqtbdc.com | udp |
| US | 8.8.8.8:53 | rjnohxftaxqchx.com | udp |
| US | 8.8.8.8:53 | krfjgirawrnwymikfs.com | udp |
| US | 8.8.8.8:53 | logdykdhiqjfe.com | udp |
| US | 8.8.8.8:53 | kfnbyumolivyts.com | udp |
| US | 8.8.8.8:53 | qaoaphtmhyp.com | udp |
| US | 8.8.8.8:53 | daudnsxxbdpewgqwth.com | udp |
| US | 8.8.8.8:53 | qkyodpbk.com | udp |
| US | 8.8.8.8:53 | bisimmfycgx.com | udp |
| US | 8.8.8.8:53 | mtbsyusyfnxdmr.com | udp |
| US | 8.8.8.8:53 | axjklmrkblufbbttvr.com | udp |
| US | 8.8.8.8:53 | mbiecphlvwirheef.com | udp |
| US | 8.8.8.8:53 | occkdwaryylcexyxipu.com | udp |
| US | 8.8.8.8:53 | sxjgfgakmnesl.com | udp |
| US | 8.8.8.8:53 | hjwyxhggkgigc.com | udp |
| US | 8.8.8.8:53 | rqrlqvoey.com | udp |
| US | 8.8.8.8:53 | ylonicuki.com | udp |
| US | 8.8.8.8:53 | amfkloexwjqdbc.com | udp |
| US | 8.8.8.8:53 | niabbftjesidlicmfew.com | udp |
| US | 8.8.8.8:53 | nmdkbkjtkbskcagyudp.com | udp |
| US | 8.8.8.8:53 | vpfkjrrrlgdfknut.com | udp |
| US | 8.8.8.8:53 | yvupjrajqyfwlnt.com | udp |
| US | 8.8.8.8:53 | hsorqpnpsdetfreqs.com | udp |
| US | 8.8.8.8:53 | hrddblgscsns.com | udp |
| US | 8.8.8.8:53 | jphrnena.com | udp |
| US | 8.8.8.8:53 | qieestggjq.com | udp |
| US | 8.8.8.8:53 | bjueqjpwfnfw.com | udp |
| US | 8.8.8.8:53 | oeovpwqceubayy.com | udp |
| US | 8.8.8.8:53 | gewnkbdimfqd.com | udp |
| US | 8.8.8.8:53 | vvyimyjxytgyxqhxh.com | udp |
| US | 8.8.8.8:53 | jwaiudgrsfaj.com | udp |
| US | 8.8.8.8:53 | eaajkxeks.com | udp |
| US | 8.8.8.8:53 | dsxdkgdksai.com | udp |
| US | 8.8.8.8:53 | jijddhoygrssofogti.com | udp |
| US | 8.8.8.8:53 | gwhwvfxmp.com | udp |
| US | 8.8.8.8:53 | vvcmvkxrqq.com | udp |
| US | 8.8.8.8:53 | scxufwfqmpi.com | udp |
| US | 8.8.8.8:53 | mfrtoccexywpxdnl.com | udp |
| US | 8.8.8.8:53 | kdwbccrjpmbbuchxgvh.com | udp |
| US | 8.8.8.8:53 | rvkalbuvh.com | udp |
| US | 8.8.8.8:53 | lgklpelkusudxqhm.com | udp |
| US | 8.8.8.8:53 | teiwvmsnusodtv.com | udp |
| US | 8.8.8.8:53 | sgwjtnsb.com | udp |
| US | 8.8.8.8:53 | hdyypyuwnlnu.com | udp |
| US | 8.8.8.8:53 | anojvoukljuo.com | udp |
| US | 8.8.8.8:53 | ltkjenhbdfjpmxff.com | udp |
| US | 8.8.8.8:53 | abefdkpjumm.com | udp |
| US | 8.8.8.8:53 | vhmlhlegbolyytpljh.com | udp |
| US | 8.8.8.8:53 | rpyckfedprrwvrfnlhn.com | udp |
| US | 8.8.8.8:53 | kmccrseybpm.com | udp |
| US | 8.8.8.8:53 | ntosbbjebc.com | udp |
| US | 8.8.8.8:53 | mbhwmdna.com | udp |
| US | 8.8.8.8:53 | syepgnppauedwguegvx.com | udp |
| US | 8.8.8.8:53 | gdjxyjbcjrybdsen.com | udp |
| US | 8.8.8.8:53 | pigvujiqcktkm.com | udp |
| US | 8.8.8.8:53 | qllcpbvq.com | udp |
| US | 8.8.8.8:53 | alorlevjeifhkmvtv.com | udp |
| US | 8.8.8.8:53 | utysctqikmoufep.com | udp |
| US | 8.8.8.8:53 | oeqgqmdwyucibylik.com | udp |
| US | 8.8.8.8:53 | jvmfcvpsrdpndpnmtk.com | udp |
| US | 8.8.8.8:53 | seekslpsy.com | udp |
| US | 8.8.8.8:53 | qooiusuelscmeo.com | udp |
| US | 8.8.8.8:53 | oflltjsyi.com | udp |
| US | 8.8.8.8:53 | vacwsfhchqbkgsbq.com | udp |
| US | 8.8.8.8:53 | sntvigffw.com | udp |
| US | 8.8.8.8:53 | olipkxiql.com | udp |
| US | 8.8.8.8:53 | qdolxjyqc.com | udp |
| US | 8.8.8.8:53 | xpaxgwvawyw.com | udp |
| US | 8.8.8.8:53 | yohmexlr.com | udp |
| US | 8.8.8.8:53 | oefpfvlrcamrkwwv.com | udp |
| US | 8.8.8.8:53 | qtnvnpygxvrjju.com | udp |
| US | 8.8.8.8:53 | whqwdurosm.com | udp |
| US | 8.8.8.8:53 | gbllsytd.com | udp |
| US | 8.8.8.8:53 | sufqymfgrkk.com | udp |
| US | 8.8.8.8:53 | ydvlpgbbdqslyiwdub.com | udp |
| US | 8.8.8.8:53 | dmljsfvxgoacefgnn.com | udp |
| US | 8.8.8.8:53 | kpyxgccecyfseccn.com | udp |
| US | 8.8.8.8:53 | tocqmrpwkebuewflhmx.com | udp |
| US | 8.8.8.8:53 | pffbxuxbkk.com | udp |
| US | 8.8.8.8:53 | dllhhxhtraujconf.com | udp |
| US | 8.8.8.8:53 | kjtmludfui.com | udp |
| US | 8.8.8.8:53 | urywjwugcfjleqrs.com | udp |
| US | 8.8.8.8:53 | bdaftldjkgopoppbgn.com | udp |
| US | 8.8.8.8:53 | wrtccfng.com | udp |
| US | 8.8.8.8:53 | dsgkscxv.com | udp |
| US | 8.8.8.8:53 | sdcyrgagjpb.com | udp |
| US | 8.8.8.8:53 | mkttochvbnykg.com | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
Files
memory/2556-0-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2556-1-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2556-3-0x0000000000280000-0x0000000000281000-memory.dmp
memory/1256-8-0x0000000000080000-0x0000000000081000-memory.dmp
memory/1256-6-0x0000000020010000-0x000000002001C000-memory.dmp
memory/2556-4-0x0000000000400000-0x000000000044C000-memory.dmp
memory/1256-18-0x0000000020010000-0x000000002001C000-memory.dmp
memory/1256-17-0x0000000020010000-0x000000002001C000-memory.dmp
memory/1256-16-0x0000000020010000-0x000000002001C000-memory.dmp
memory/1256-12-0x0000000020010000-0x000000002001C000-memory.dmp
memory/2356-21-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2356-47-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2356-46-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2356-41-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2356-40-0x0000000020010000-0x0000000020023000-memory.dmp
C:\Users\Admin\AppData\Local\mjmhdkvy\upetnkfp.exe
| MD5 | 76213d3b0809a3cca7a5d4780be8d4cb |
| SHA1 | 1a2636ca50cbd5d48909d957a8521945634e6415 |
| SHA256 | 0844b1e0adbf80cc1e36a7be4fbba1eff2aa1ac111d165e6396872dbebc1cc45 |
| SHA512 | dc7e1b05ebf5f87fc84438596c3b8b028c99d034ced5c1135f224f2dad0eee718d5255b0f8438547c437f93caad6af27e6eefe403b2b5e98a596b5d20f87a282 |
memory/2556-34-0x000000007723F000-0x0000000077240000-memory.dmp
memory/1256-33-0x0000000000090000-0x0000000000091000-memory.dmp
memory/1256-32-0x0000000000080000-0x0000000000081000-memory.dmp
memory/1256-31-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2356-27-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2556-64-0x0000000002900000-0x000000000294C000-memory.dmp
memory/2556-57-0x0000000002900000-0x000000000294C000-memory.dmp
memory/2556-56-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2556-66-0x000000007723F000-0x0000000077240000-memory.dmp
memory/2896-70-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2896-69-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2896-74-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2356-75-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2356-85-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2356-86-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2356-88-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2356-89-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2356-90-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2356-91-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2356-92-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2356-93-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2356-94-0x0000000020010000-0x0000000020023000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:56
Reported
2024-10-27 21:59
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
144s
Command Line
Signatures
Ramnit
Ramnit family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\76213d3b0809a3cca7a5d4780be8d4cb_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\clhepahtmpqxsium.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\clhepahtmpqxsium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\76213d3b0809a3cca7a5d4780be8d4cb_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{581259F1-94AE-11EF-B319-EE81E66BE9E9} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "746004461" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140027" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140027" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "746004461" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "748035986" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "748035986" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "946161100" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140027" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436831174" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31140027" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31140027" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\76213d3b0809a3cca7a5d4780be8d4cb_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\76213d3b0809a3cca7a5d4780be8d4cb_JaffaCakes118.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\clhepahtmpqxsium.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\clhepahtmpqxsium.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\76213d3b0809a3cca7a5d4780be8d4cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76213d3b0809a3cca7a5d4780be8d4cb_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1792 -ip 1792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 204
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:17410 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4376 -ip 4376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 204
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:17416 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\clhepahtmpqxsium.exe
"C:\Users\Admin\AppData\Local\Temp\clhepahtmpqxsium.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
memory/3588-0-0x0000000000400000-0x000000000044C000-memory.dmp
memory/3588-1-0x0000000000400000-0x000000000044C000-memory.dmp
memory/3588-3-0x00000000005F0000-0x00000000005F1000-memory.dmp
memory/3588-5-0x0000000000400000-0x000000000044C000-memory.dmp
memory/1792-7-0x00000000007F0000-0x00000000007F1000-memory.dmp
memory/1792-6-0x0000000000A10000-0x0000000000A11000-memory.dmp
memory/3588-8-0x0000000000400000-0x000000000044C000-memory.dmp
memory/3588-10-0x0000000000400000-0x000000000044C000-memory.dmp
memory/3588-13-0x0000000077192000-0x0000000077193000-memory.dmp
memory/3588-14-0x0000000000400000-0x000000000044C000-memory.dmp
memory/3588-16-0x0000000077192000-0x0000000077193000-memory.dmp
memory/3588-15-0x0000000000400000-0x000000000044C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver411B.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
C:\Users\Admin\AppData\Local\Temp\clhepahtmpqxsium.exe
| MD5 | 76213d3b0809a3cca7a5d4780be8d4cb |
| SHA1 | 1a2636ca50cbd5d48909d957a8521945634e6415 |
| SHA256 | 0844b1e0adbf80cc1e36a7be4fbba1eff2aa1ac111d165e6396872dbebc1cc45 |
| SHA512 | dc7e1b05ebf5f87fc84438596c3b8b028c99d034ced5c1135f224f2dad0eee718d5255b0f8438547c437f93caad6af27e6eefe403b2b5e98a596b5d20f87a282 |
memory/4340-35-0x0000000000400000-0x000000000044C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |