Malware Analysis Report

2025-08-10 16:41

Sample ID 241030-rm2zhatnbs
Target 7f85f00af073eeaba1e19077285ae933_JaffaCakes118
SHA256 e71216b9f84d5dd86e752c2ff501080f3ac49a76ceba7258635599b690c0c984
Tags
upx defense_evasion discovery evasion persistence trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e71216b9f84d5dd86e752c2ff501080f3ac49a76ceba7258635599b690c0c984

Threat Level: Likely malicious

The file 7f85f00af073eeaba1e19077285ae933_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

upx defense_evasion discovery evasion persistence trojan

Event Triggered Execution: Image File Execution Options Injection

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

ACProtect 1.3x - 1.4x DLL software

Adds Run key to start application

Enumerates connected drives

Indicator Removal: Clear Persistence

Indicator Removal: File Deletion

Checks for any installed AV software in registry

Checks whether UAC is enabled

Drops autorun.inf file

UPX packed file

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-30 14:19

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-30 14:19

Reported

2024-10-30 14:21

Platform

win7-20240708-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe"

Signatures

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\com\lsass.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\com\lsass.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\com\smss.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
N/A N/A C:\Windows\SysWOW64\com\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\com\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\com\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\com\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService C:\Windows\SysWOW64\com\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService C:\Windows\SysWOW64\com\lsass.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\com\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\com\lsass.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
File opened (read-only) \??\E: \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\com\lsass.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\com\lsass.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\com\lsass.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\com\lsass.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\com\smss.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A

Indicator Removal: File Deletion

defense_evasion

Drops autorun.inf file

Description Indicator Process Target
File opened for modification D:\AUTORUN.INF \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
File opened for modification \??\E:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification D:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification D:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
File opened for modification \??\E:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
File opened for modification D:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification \??\E:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
File opened for modification \??\E:\AUTORUN.INF \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\00302.log \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
File opened for modification C:\Windows\SysWOW64\com\lsass.exe \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
File created C:\Windows\SysWOW64\00302.log C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\smss.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\smss.exe C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\com\smss.exe \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
File opened for modification C:\Windows\SysWOW64\com\smss.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\netcfg.000 C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\00302.log C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\com\smss.exe C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\com\lsass.exe \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
File created C:\Windows\SysWOW64\com\smss.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\netcfg.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\com\netcfg.000 C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\dnsq.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\dnsq.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\bak C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\com\smss.exe \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
File created C:\Windows\SysWOW64\00302.log C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\com\netcfg.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification \??\c:\windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\com\lsass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\com\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\com\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\com\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\com\lsass.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page" C:\Windows\SysWOW64\regsvr32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\com\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\com\lsass.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1780 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1780 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1780 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1780 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1780 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1780 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1780 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1780 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1780 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 2704 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 2704 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 2704 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 1780 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
PID 1780 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
PID 1780 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
PID 1780 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
PID 2908 wrote to memory of 2564 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2908 wrote to memory of 2564 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2908 wrote to memory of 2564 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2908 wrote to memory of 2564 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2908 wrote to memory of 2560 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2908 wrote to memory of 2560 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2908 wrote to memory of 2560 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2908 wrote to memory of 2560 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2908 wrote to memory of 2600 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2908 wrote to memory of 2600 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2908 wrote to memory of 2600 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2908 wrote to memory of 2600 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2908 wrote to memory of 2648 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2908 wrote to memory of 2648 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2908 wrote to memory of 2648 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2908 wrote to memory of 2648 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2908 wrote to memory of 2104 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2104 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2104 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2104 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2260 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2260 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2260 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2260 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2264 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2264 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2264 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2264 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2268 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2268 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2268 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2268 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 2268 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 2268 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 2268 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 2908 wrote to memory of 308 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2908 wrote to memory of 308 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2908 wrote to memory of 308 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2908 wrote to memory of 308 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe"

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe^|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log

\??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log

"c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log"

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~^|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe

C:\Windows\SysWOW64\com\lsass.exe

"C:\Windows\system32\com\lsass.exe"

C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe

"C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe"

C:\Windows\SysWOW64\com\lsass.exe

^c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|C:\pagefile.pif"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|C:\pagefile.pif

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|E:\pagefile.pif"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|E:\pagefile.pif

C:\Windows\SysWOW64\com\smss.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"

C:\Windows\SysWOW64\ping.exe

ping.exe -f -n 1 www.baidu.com

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f8

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 js.k0102.com udp
DE 185.53.179.173:80 js.k0102.com tcp
US 8.8.8.8:53 d38psrni17bvxu.cloudfront.net udp
NL 18.239.102.108:80 d38psrni17bvxu.cloudfront.net tcp
US 8.8.8.8:53 ifdnzact.com udp
US 208.91.196.46:80 ifdnzact.com tcp
US 208.91.196.46:80 ifdnzact.com tcp
US 8.8.8.8:53 i4.cdn-image.com udp
US 208.91.196.253:80 i4.cdn-image.com tcp
US 208.91.196.253:80 i4.cdn-image.com tcp

Files

memory/1780-0-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\com\smss.exe

MD5 ecc52a71f452d05a30b9b521d8ed9025
SHA1 fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e
SHA256 f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0
SHA512 d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

memory/2704-8-0x0000000000160000-0x000000000016F000-memory.dmp

memory/2852-12-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2704-10-0x0000000000160000-0x000000000016F000-memory.dmp

memory/2852-15-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1780-23-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2908-22-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1780-21-0x0000000002DE0000-0x0000000002E10000-memory.dmp

memory/1780-20-0x0000000002DE0000-0x0000000002E10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log

MD5 7f85f00af073eeaba1e19077285ae933
SHA1 8ab10781d4965f97ba6fba83f651aa63b547168a
SHA256 e71216b9f84d5dd86e752c2ff501080f3ac49a76ceba7258635599b690c0c984
SHA512 e05ee6247bf1074166cecaa6254e12ecf278dd0156871803982d6541c0f55dfa06479bd2660c7ef7beb4e1a31a0d5612be7fba8c417e9bfc86e2da13460befd6

memory/2892-35-0x0000000000400000-0x000000000040F000-memory.dmp

\??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~

MD5 1cf46cbf40ec16bef528ebc2fd7f03dc
SHA1 54069df6e6d11b93dca22d8461b9588302f912c6
SHA256 d2694a4d43613b3f304a23502249e29cb6746cddae79b5a667b5b319c1ae5dbf
SHA512 fecce695232c69ff961239f42c9637d2990ba3bbd5fc9d5709eed153e33a66d2caff05f782d5d9afd84957bb1828ea53e683e78ef4c99b382ea335d15eec2dea

\Windows\SysWOW64\com\lsass.exe

MD5 4c17312e44a4000a782a5c71b04b5faa
SHA1 47c4c0f3b80f809957ddff48b28211d992f3e9f5
SHA256 a059aa3b5462a3d602fe29590dd8ca78fbb9e90f3402a3e41e2688d08d552341
SHA512 8ea955e5cdb2ba2cac15018a82b270f3eabce3d311123fc5e39c7b5f3606782a56811086ca4bb10196e9664df88c8d1609fa3bc259cf7dee0fb1ce70cc5a0c14

memory/2908-44-0x0000000002CB0000-0x0000000002CE0000-memory.dmp

memory/308-45-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2040-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\NetApi00.sys

MD5 8e336906e90cb3558fb9704d0921e27a
SHA1 59ad8af4982e287954ecf0afaa2f28bc1ba578bc
SHA256 7c9b6f4a222d9b110ff7abecd2cd9ae7d4a7c8229e5c8b5a39da007127735897
SHA512 0a6a13daccd9f149ef5417d87ff0d9dee0564fe42dcb2cd61782dc5af744e218f68c04ed2705eba8ab3c2867af81ad487f58efe3d620cd30c433e0d382efed24

memory/2908-57-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2040-69-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\com\netcfg.000

MD5 d3777f588e34bbc50a1c08d472b94a83
SHA1 abcbccde250c3a142347efc32c5a89869ead61f4
SHA256 0b10b6bdf21f31107be9140d4e8c1120c60e057421aee2a17b4b674f2b7d2b0b
SHA512 8701d268b2ea969bf4a21a13f6898d6ff21752f51bb1cbe24017422f5835a4ec5423c398f0593226affa3a2e353ff2fc30c6ec239bcc4bc3e7b09dd3f42b67cc

\Windows\SysWOW64\dnsq.dll

MD5 c08ba4c0a84a6d5dbd2f8c99ecfe7116
SHA1 a031a2147851c856eff0161a266e33410aa94604
SHA256 7ee24ac81046fc2e214423d816b9f805992a4aa2d9a3f9567699142e69bc863f
SHA512 ddd4da03ef846c8addd3e7168c08c3ce8d354c5d82e4dd94903e918338745f5f8ec47cb6688df482e0afd68f28c4fbd2e48a3d2cae52f145cc451a77532d7f01

memory/308-82-0x0000000010000000-0x0000000010012000-memory.dmp

memory/2032-86-0x00000000000B0000-0x00000000000BF000-memory.dmp

memory/2032-88-0x00000000000B0000-0x00000000000BF000-memory.dmp

memory/2352-92-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2712-100-0x0000000000400000-0x000000000040F000-memory.dmp

memory/308-99-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2720-101-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2216-104-0x0000000000120000-0x000000000012F000-memory.dmp

memory/308-103-0x0000000010000000-0x0000000010012000-memory.dmp

memory/2216-106-0x0000000000120000-0x000000000012F000-memory.dmp

memory/2508-109-0x0000000000400000-0x000000000040F000-memory.dmp

memory/308-112-0x0000000000540000-0x000000000054F000-memory.dmp

memory/2696-116-0x0000000010000000-0x0000000010012000-memory.dmp

memory/308-117-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2636-121-0x0000000000400000-0x000000000040F000-memory.dmp

memory/308-123-0x0000000000540000-0x000000000054F000-memory.dmp

memory/2552-124-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2696-125-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2696-126-0x0000000010000000-0x0000000010012000-memory.dmp

memory/308-129-0x0000000000400000-0x0000000000430000-memory.dmp

memory/308-133-0x0000000000400000-0x0000000000430000-memory.dmp

memory/308-137-0x0000000000400000-0x0000000000430000-memory.dmp

memory/308-141-0x0000000000400000-0x0000000000430000-memory.dmp

memory/308-145-0x0000000000400000-0x0000000000430000-memory.dmp

memory/308-149-0x0000000000400000-0x0000000000430000-memory.dmp

memory/308-153-0x0000000000400000-0x0000000000430000-memory.dmp

memory/308-157-0x0000000000400000-0x0000000000430000-memory.dmp

memory/308-161-0x0000000000400000-0x0000000000430000-memory.dmp

memory/308-165-0x0000000000400000-0x0000000000430000-memory.dmp

memory/308-169-0x0000000000400000-0x0000000000430000-memory.dmp

memory/308-177-0x0000000000400000-0x0000000000430000-memory.dmp

memory/308-181-0x0000000000400000-0x0000000000430000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-30 14:19

Reported

2024-10-30 14:21

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe"

Signatures

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\com\lsass.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\com\lsass.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\com\smss.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\com\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\com\lsass.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\com\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\com\smss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService C:\Windows\SysWOW64\com\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService C:\Windows\SysWOW64\com\lsass.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\com\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\com\lsass.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
File opened (read-only) \??\E: \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\com\lsass.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\com\lsass.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\com\lsass.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\com\smss.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\com\lsass.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\com\lsass.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification D:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification \??\E:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification \??\E:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
File opened for modification D:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
File opened for modification \??\E:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
File created C:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification D:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification D:\AUTORUN.INF \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
File opened for modification \??\E:\AUTORUN.INF \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\com\lsass.exe \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
File created C:\Windows\SysWOW64\com\netcfg.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\dnsq.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\com\netcfg.000 C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\dnsq.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\bak C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\smss.exe C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\com\smss.exe \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
File opened for modification C:\Windows\SysWOW64\com\lsass.exe \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
File opened for modification C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\netcfg.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification \??\c:\windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\00302.log \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
File created C:\Windows\SysWOW64\00302.log C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\com\smss.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\netcfg.000 C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\smss.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\00302.log C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\com\smss.exe C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\00302.log C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\smss.exe C:\Windows\SysWOW64\com\lsass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\com\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\com\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\com\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\com\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\ C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\com\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\com\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1064 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1064 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1064 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1064 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1064 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1064 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1064 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 1140 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 1140 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 1064 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
PID 1064 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
PID 1064 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
PID 2900 wrote to memory of 5048 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2900 wrote to memory of 5048 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2900 wrote to memory of 5048 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2900 wrote to memory of 2796 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2900 wrote to memory of 2796 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2900 wrote to memory of 2796 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2900 wrote to memory of 1196 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2900 wrote to memory of 1196 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2900 wrote to memory of 1196 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2900 wrote to memory of 2720 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2900 wrote to memory of 2720 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2900 wrote to memory of 2720 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2900 wrote to memory of 3220 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 3220 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 3220 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 316 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 316 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 316 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 3472 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 3472 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 3472 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 4636 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 4636 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 4636 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 4636 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 4636 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 2900 wrote to memory of 1716 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2900 wrote to memory of 1716 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2900 wrote to memory of 1716 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2900 wrote to memory of 4132 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe
PID 2900 wrote to memory of 4132 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe
PID 2900 wrote to memory of 4132 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe
PID 2900 wrote to memory of 1204 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2900 wrote to memory of 1204 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2900 wrote to memory of 1204 N/A \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 1716 wrote to memory of 3164 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1716 wrote to memory of 3164 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1716 wrote to memory of 3164 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1716 wrote to memory of 4496 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1716 wrote to memory of 4496 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1716 wrote to memory of 4496 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1716 wrote to memory of 3300 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1716 wrote to memory of 3300 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1716 wrote to memory of 3300 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 1716 wrote to memory of 3372 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe"

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe^|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log

\??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log

"c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log"

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~^|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe

C:\Windows\SysWOW64\com\lsass.exe

"C:\Windows\system32\com\lsass.exe"

C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe

"C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe"

C:\Windows\SysWOW64\com\lsass.exe

^c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|C:\pagefile.pif"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|C:\pagefile.pif

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|E:\pagefile.pif"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|E:\pagefile.pif

C:\Windows\SysWOW64\com\smss.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"

C:\Windows\SysWOW64\ping.exe

ping.exe -f -n 1 www.baidu.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 js.k0102.com udp
DE 185.53.179.173:80 js.k0102.com tcp
US 8.8.8.8:53 d38psrni17bvxu.cloudfront.net udp
NL 18.239.102.197:80 d38psrni17bvxu.cloudfront.net tcp
US 8.8.8.8:53 ifdnzact.com udp
US 208.91.196.46:80 ifdnzact.com tcp
US 8.8.8.8:53 173.179.53.185.in-addr.arpa udp
US 8.8.8.8:53 197.102.239.18.in-addr.arpa udp
US 8.8.8.8:53 46.196.91.208.in-addr.arpa udp

Files

memory/1064-0-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\Com\smss.exe

MD5 ecc52a71f452d05a30b9b521d8ed9025
SHA1 fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e
SHA256 f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0
SHA512 d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

memory/2268-8-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2268-11-0x0000000000400000-0x000000000040F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log

MD5 7f85f00af073eeaba1e19077285ae933
SHA1 8ab10781d4965f97ba6fba83f651aa63b547168a
SHA256 e71216b9f84d5dd86e752c2ff501080f3ac49a76ceba7258635599b690c0c984
SHA512 e05ee6247bf1074166cecaa6254e12ecf278dd0156871803982d6541c0f55dfa06479bd2660c7ef7beb4e1a31a0d5612be7fba8c417e9bfc86e2da13460befd6

memory/1064-15-0x0000000000400000-0x0000000000430000-memory.dmp

\??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~

MD5 1cf46cbf40ec16bef528ebc2fd7f03dc
SHA1 54069df6e6d11b93dca22d8461b9588302f912c6
SHA256 d2694a4d43613b3f304a23502249e29cb6746cddae79b5a667b5b319c1ae5dbf
SHA512 fecce695232c69ff961239f42c9637d2990ba3bbd5fc9d5709eed153e33a66d2caff05f782d5d9afd84957bb1828ea53e683e78ef4c99b382ea335d15eec2dea

memory/3984-27-0x0000000000400000-0x000000000040F000-memory.dmp

C:\Windows\SysWOW64\Com\lsass.exe

MD5 4c17312e44a4000a782a5c71b04b5faa
SHA1 47c4c0f3b80f809957ddff48b28211d992f3e9f5
SHA256 a059aa3b5462a3d602fe29590dd8ca78fbb9e90f3402a3e41e2688d08d552341
SHA512 8ea955e5cdb2ba2cac15018a82b270f3eabce3d311123fc5e39c7b5f3606782a56811086ca4bb10196e9664df88c8d1609fa3bc259cf7dee0fb1ce70cc5a0c14

memory/1716-31-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2900-35-0x0000000000400000-0x0000000000430000-memory.dmp

C:\NetApi00.sys

MD5 8e336906e90cb3558fb9704d0921e27a
SHA1 59ad8af4982e287954ecf0afaa2f28bc1ba578bc
SHA256 7c9b6f4a222d9b110ff7abecd2cd9ae7d4a7c8229e5c8b5a39da007127735897
SHA512 0a6a13daccd9f149ef5417d87ff0d9dee0564fe42dcb2cd61782dc5af744e218f68c04ed2705eba8ab3c2867af81ad487f58efe3d620cd30c433e0d382efed24

memory/1204-46-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\Com\netcfg.000

MD5 d3777f588e34bbc50a1c08d472b94a83
SHA1 abcbccde250c3a142347efc32c5a89869ead61f4
SHA256 0b10b6bdf21f31107be9140d4e8c1120c60e057421aee2a17b4b674f2b7d2b0b
SHA512 8701d268b2ea969bf4a21a13f6898d6ff21752f51bb1cbe24017422f5835a4ec5423c398f0593226affa3a2e353ff2fc30c6ec239bcc4bc3e7b09dd3f42b67cc

C:\Windows\SysWOW64\dnsq.dll

MD5 c08ba4c0a84a6d5dbd2f8c99ecfe7116
SHA1 a031a2147851c856eff0161a266e33410aa94604
SHA256 7ee24ac81046fc2e214423d816b9f805992a4aa2d9a3f9567699142e69bc863f
SHA512 ddd4da03ef846c8addd3e7168c08c3ce8d354c5d82e4dd94903e918338745f5f8ec47cb6688df482e0afd68f28c4fbd2e48a3d2cae52f145cc451a77532d7f01

memory/1716-59-0x0000000010000000-0x0000000010012000-memory.dmp

memory/5020-68-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3724-71-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3428-73-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1716-74-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1716-78-0x0000000010000000-0x0000000010012000-memory.dmp

memory/1716-79-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3312-81-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3312-83-0x0000000010000000-0x0000000010012000-memory.dmp

memory/1716-84-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1716-88-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1716-92-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1716-96-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1716-100-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1716-104-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1716-108-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1716-112-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1716-116-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1716-120-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1716-124-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1716-132-0x0000000000400000-0x0000000000430000-memory.dmp