Analysis Overview
SHA256
1ab4bda709b6dec9b2d4df647e0d4372b1aa9a712b65a32fcc33642005d57e08
Threat Level: Known bad
The file 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Disables service(s)
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Enumerates connected drives
Adds Run key to start application
Indicator Removal: File Deletion
UPX packed file
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
NSIS installer
Runs net.exe
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 02:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 02:12
Reported
2024-10-31 02:57
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Disables service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\EuroP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\E4U.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\cb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\ic9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\EuroP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\E4U.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\Gi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\geurge.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ewrgetuj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\geurge.exe" | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\Gi.exe | N/A |
Enumerates connected drives
Indicator Removal: File Deletion
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\ic9.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\cb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\EuroP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\geurge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\ic9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\E4U.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\Gi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\E4U.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\Gi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\Gi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\Gi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\Gi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\geurge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\geurge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\geurge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\geurge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\cb.exe
"C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\cb.exe"
C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\ic9.exe
"C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\ic9.exe"
C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\EuroP.exe
"C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\EuroP.exe"
C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\E4U.exe
"C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\E4U.exe"
C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\Gi.exe
"C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\Gi.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1540 -ip 1540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 272
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Msj..bat" > nul 2> nul
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\E4U.exe > nul
C:\Users\Admin\AppData\Local\Temp\geurge.exe
C:\Users\Admin\AppData\Local\Temp\geurge.exe
C:\Windows\SysWOW64\net.exe
net.exe stop "Security Center"
C:\Windows\SysWOW64\sc.exe
sc config wscsvc start= DISABLED
C:\Windows\SysWOW64\net.exe
net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)
C:\Windows\SysWOW64\sc.exe
sc config SharedAccess start= DISABLED
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\tujserrew.bat""
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blueriverarts.com | udp |
| US | 8.8.8.8:53 | abtdiagnostic.com | udp |
| US | 8.8.8.8:53 | redskeltonarts.com | udp |
| US | 8.8.8.8:53 | bbonusworld.com | udp |
| US | 8.8.8.8:53 | greenbeearts.com | udp |
| US | 8.8.8.8:53 | config.perfectexe.com | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\cb.exe
| MD5 | 46e07fd3a40760fda18cf6b4fc691742 |
| SHA1 | 53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa |
| SHA256 | bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be |
| SHA512 | ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd |
C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\ic9.exe
| MD5 | 28ee9992c5cc76a2a2385eaa7423411c |
| SHA1 | 96b5485154f44094627770d5fcf7a4a80aaa111e |
| SHA256 | 9fb5e5110b4fa98c20c90c6f597a09baaf7c301e417a4d2ac7dcdcf6c19cfea1 |
| SHA512 | 16ff019cb3ca0cae00a4336d0dd77d95cdcd3bce8b064f3072a9d3622bf190290eb33ca8500cb26f104da80df9704f98584c234dd243804547e0c45605c6276e |
C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\EuroP.exe
| MD5 | 4799c30743d59d162a7a4d0f16bce415 |
| SHA1 | 21b11dfedac88b1009b6459b92076b2278954183 |
| SHA256 | acc6f5666df365ac19248f7854ae8d3753e126ab5125975e232e9d7b924523f1 |
| SHA512 | bb67e53a36cbb7f73d71c4cb1a75996481ca0646cf73565ef3f34973bc42384aff47d625f171385a3d677e336758e3b5a35ef7f5c2dd21b471f55bf5ff0d8ebd |
C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\E4U.exe
| MD5 | 88afc5e074effdce294e0da16c805d0f |
| SHA1 | bf5f183d44ccf8fab7462022a464981c59119d96 |
| SHA256 | a41df47a6ed0cc26973c4bc1452f7d2e21946157552a5515052dc8642b48743e |
| SHA512 | c53e10bd860b24bc28d9b6f0b9ddd2840b62f677bb4a2e181315b53553eb8c52f13bd6c065a43b6c577f03c8952288f76f61ba799756a731ce54d0099e46da2a |
C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\Gi.exe
| MD5 | 2ca85ee33f90ba3705885737aa656a40 |
| SHA1 | e9f4331ef93d63e1c89707d6acdf699fc095a9b5 |
| SHA256 | b34881d5e2d3933dc467ed65bf05dc43fc17dac7d3c30d0cc89b98fbe71dcafa |
| SHA512 | 9ce38d53fa1311c81943d03026b3c1dece41bec20ac109dcb46c9a5766ffb93396af57f6d440d095e205ecc025655b648ea1e73f600126bafbf6fc768ea80787 |
memory/3528-43-0x0000000000419000-0x0000000000425000-memory.dmp
memory/3528-57-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1156-59-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2984-58-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1156-65-0x0000000000400000-0x0000000000403000-memory.dmp
memory/1156-64-0x0000000000400000-0x000000000040C000-memory.dmp
memory/3528-66-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3528-67-0x0000000000419000-0x0000000000425000-memory.dmp
memory/4764-73-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Msj..bat
| MD5 | df5f881c0c771871329bf82305b79b20 |
| SHA1 | 62b0c32e61c92a29f1be786cd1634b80ef97d1be |
| SHA256 | 6566bfa7b5d7565bb5cd35e6f2b4b89cb7d687e17c3919aba50caded602f3904 |
| SHA512 | 3e10b918329a829d53794be7969719b419ee253035c1c35d4031b1e3316a9405f3d97dc369f0f510947207939de55c3f68105d4a66ee0886cf25c70ee0177b0b |
memory/2984-80-0x0000000000400000-0x000000000045A000-memory.dmp
C:\tujserrew.bat
| MD5 | d08cb97e3b90ca2dac463f834008b9b9 |
| SHA1 | 3db0d4da98d144669284f50d9e8ea87a988ac93a |
| SHA256 | 033632928b0c1a737728bb51db824f5fc92c84cbebae99553e8a1f40bd05b8f9 |
| SHA512 | d843a43695c808bf3ee6088e5213f5b97f225412c36a41778a41a950c7459e4e9c4332b98bc9007544863e4d39b5f11bf15308ceeaceff7320847d301febe97d |
memory/4764-82-0x0000000000400000-0x000000000045A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 02:12
Reported
2024-10-31 02:22
Platform
win7-20241010-en
Max time kernel
143s
Max time network
144s
Command Line
Signatures
Disables service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\cb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\ic9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\EuroP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\E4U.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\Gi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\geurge.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ewrgetuj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\geurge.exe" | C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\Gi.exe | N/A |
Enumerates connected drives
Indicator Removal: File Deletion
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\E4U.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\Gi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\EuroP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\geurge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\cb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\ic9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\E4U.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\Gi.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\geurge.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\E4U.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\Gi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\Gi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\Gi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\Gi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\geurge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\geurge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\geurge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\geurge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\cb.exe
"C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\cb.exe"
C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\ic9.exe
"C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\ic9.exe"
C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\EuroP.exe
"C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\EuroP.exe"
C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\E4U.exe
"C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\E4U.exe"
C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\Gi.exe
"C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\Gi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Mbz..bat" > nul 2> nul
C:\Users\Admin\AppData\Local\Temp\geurge.exe
C:\Users\Admin\AppData\Local\Temp\geurge.exe
C:\Windows\SysWOW64\net.exe
net.exe stop "Security Center"
C:\Windows\SysWOW64\sc.exe
sc config wscsvc start= DISABLED
C:\Windows\SysWOW64\net.exe
net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)
C:\Windows\SysWOW64\sc.exe
sc config SharedAccess start= DISABLED
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\tujserrew.bat""
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\E4U.exe > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | blueriverarts.com | udp |
| US | 8.8.8.8:53 | redskeltonarts.com | udp |
| US | 8.8.8.8:53 | 873hgf7xx60.com | udp |
| US | 8.8.8.8:53 | greenbeearts.com | udp |
| US | 8.8.8.8:53 | abtdiagnostic.com | udp |
| US | 8.8.8.8:53 | bbonusworld.com | udp |
| US | 8.8.8.8:53 | config.perfectexe.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nszE227.tmp\cb.exe
| MD5 | 46e07fd3a40760fda18cf6b4fc691742 |
| SHA1 | 53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa |
| SHA256 | bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be |
| SHA512 | ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd |
\Users\Admin\AppData\Local\Temp\nszE227.tmp\ic9.exe
| MD5 | 28ee9992c5cc76a2a2385eaa7423411c |
| SHA1 | 96b5485154f44094627770d5fcf7a4a80aaa111e |
| SHA256 | 9fb5e5110b4fa98c20c90c6f597a09baaf7c301e417a4d2ac7dcdcf6c19cfea1 |
| SHA512 | 16ff019cb3ca0cae00a4336d0dd77d95cdcd3bce8b064f3072a9d3622bf190290eb33ca8500cb26f104da80df9704f98584c234dd243804547e0c45605c6276e |
memory/2204-32-0x0000000000400000-0x0000000000418000-memory.dmp
\Users\Admin\AppData\Local\Temp\nszE227.tmp\EuroP.exe
| MD5 | 4799c30743d59d162a7a4d0f16bce415 |
| SHA1 | 21b11dfedac88b1009b6459b92076b2278954183 |
| SHA256 | acc6f5666df365ac19248f7854ae8d3753e126ab5125975e232e9d7b924523f1 |
| SHA512 | bb67e53a36cbb7f73d71c4cb1a75996481ca0646cf73565ef3f34973bc42384aff47d625f171385a3d677e336758e3b5a35ef7f5c2dd21b471f55bf5ff0d8ebd |
C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\E4U.exe
| MD5 | 88afc5e074effdce294e0da16c805d0f |
| SHA1 | bf5f183d44ccf8fab7462022a464981c59119d96 |
| SHA256 | a41df47a6ed0cc26973c4bc1452f7d2e21946157552a5515052dc8642b48743e |
| SHA512 | c53e10bd860b24bc28d9b6f0b9ddd2840b62f677bb4a2e181315b53553eb8c52f13bd6c065a43b6c577f03c8952288f76f61ba799756a731ce54d0099e46da2a |
C:\Users\Admin\AppData\Local\Temp\nszE227.tmp\Gi.exe
| MD5 | 2ca85ee33f90ba3705885737aa656a40 |
| SHA1 | e9f4331ef93d63e1c89707d6acdf699fc095a9b5 |
| SHA256 | b34881d5e2d3933dc467ed65bf05dc43fc17dac7d3c30d0cc89b98fbe71dcafa |
| SHA512 | 9ce38d53fa1311c81943d03026b3c1dece41bec20ac109dcb46c9a5766ffb93396af57f6d440d095e205ecc025655b648ea1e73f600126bafbf6fc768ea80787 |
memory/2744-64-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2744-66-0x0000000000850000-0x00000000008AA000-memory.dmp
memory/2204-65-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1824-72-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Mbz..bat
| MD5 | a943a8061383fa691ce9bca68ee0512e |
| SHA1 | f89b9e57a0a2ca47e3a9fd7ab6071a25ef117741 |
| SHA256 | 76d679cd188e89bbacacd4b31bb0daae8adc7094c9b43ca04873906d8f7447dc |
| SHA512 | 6bbb204986e535b2db4b1ff8f60b18282a22a8171899394dbd0a0bb74e40a687864029a5da27b11a28325ab9968c5dd76ada69a794590d697599f0d06a114917 |
memory/2744-71-0x0000000002F30000-0x00000000039EA000-memory.dmp
memory/2744-77-0x00000000059D0000-0x0000000005A2A000-memory.dmp
memory/3060-88-0x0000000000400000-0x000000000045A000-memory.dmp
C:\tujserrew.bat
| MD5 | d08cb97e3b90ca2dac463f834008b9b9 |
| SHA1 | 3db0d4da98d144669284f50d9e8ea87a988ac93a |
| SHA256 | 033632928b0c1a737728bb51db824f5fc92c84cbebae99553e8a1f40bd05b8f9 |
| SHA512 | d843a43695c808bf3ee6088e5213f5b97f225412c36a41778a41a950c7459e4e9c4332b98bc9007544863e4d39b5f11bf15308ceeaceff7320847d301febe97d |
memory/2744-100-0x0000000000400000-0x000000000045A000-memory.dmp
memory/3060-104-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2776-108-0x0000000000400000-0x000000000040C000-memory.dmp
memory/3060-116-0x0000000000400000-0x000000000045A000-memory.dmp