Malware Analysis Report

2025-08-05 11:47

Sample ID 241031-eztgnsykgv
Target 819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118
SHA256 debc992881ed63f6c7fcb5c39e7cb69c26ec9735c4a9bb6febbfe8c9d0d818d5
Tags
defense_evasion discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

debc992881ed63f6c7fcb5c39e7cb69c26ec9735c4a9bb6febbfe8c9d0d818d5

Threat Level: Known bad

The file 819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion persistence

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Impair Defenses: Safe Mode Boot

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 04:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 04:23

Reported

2024-10-31 04:31

Platform

win7-20240708-en

Max time kernel

121s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\windows\hosts.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\windows\hosts.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\NNYJZAHP = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\NNYJZAHP = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\NNYJZAHP = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Windows\SysWOW64\REG.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\windows\hosts.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\W_X_C.vbs C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe N/A
File created \??\c:\windows\W_X_C.bat C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
File opened for modification C:\Windows\hosts.exe C:\windows\hosts.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
N/A N/A C:\windows\hosts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 2960 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 2960 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 2960 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 2960 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2960 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2960 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2960 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1080 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1080 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1080 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1080 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1080 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2844 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2844 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2844 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2760 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2760 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2760 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2760 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2848 wrote to memory of 1916 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2848 wrote to memory of 1916 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2848 wrote to memory of 1916 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2848 wrote to memory of 1916 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2848 wrote to memory of 2680 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2680 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2680 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2680 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2844 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2844 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2844 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2760 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2760 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2760 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2760 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2680 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2680 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2680 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2680 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2680 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2680 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2680 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2680 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1080 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 1080 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 1080 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 1080 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2848 wrote to memory of 2988 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2848 wrote to memory of 2988 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2848 wrote to memory of 2988 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2848 wrote to memory of 2988 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 1080 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 1080 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 1080 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 1080 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\windows\W_X_C.bat

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\windows\W_X_C.bat

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\windows\W_X_C.bat

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\avscan.exe

MD5 6affc08c4cc74775a7bd9e2fdca55ee0
SHA1 533445d44d179a3e9e10666e5c91afdb002d7384
SHA256 01834cd5fcb17cc2d02d34c9299fda3dcaee13f2c46769ecea405bbd784a2ac9
SHA512 02854605877d1e2161d87bba95e1db8a3aef229d9176a31dbdb49a56857057b7ec6091417661408dbf2cbb801d712a4cbe496b6a146a10c146ccbc2fb45c4876

C:\Windows\hosts.exe

MD5 0113d3bfd3ef111307acbde36b22ad1f
SHA1 08cd63fbc51e5b37ef3efbca87a3b4668cc421f0
SHA256 8891f846340760ce99882b7877d867c91dfb0f3077c7d28245d09541328e14bd
SHA512 47203c016e49d8b302317f019ed81249ae02799ff9c533e1d3da3e6f669eb7c17224a34b274374b3b133b897b55a9f05288b7dfed4a8879f2550c1f2981b8a81

\??\c:\windows\W_X_C.bat

MD5 4db9f8b6175722b62ececeeeba1ce307
SHA1 3b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256 d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA512 1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

memory/2760-61-0x00000000024B0000-0x00000000025B0000-memory.dmp

C:\Windows\W_X_C.vbs

MD5 e1551d79cbac725a6adfcbb4290820bb
SHA1 d66b66449fceeaa6715bea11a69986fe2ea0483f
SHA256 c7619c996c4bb083af1901d74b765b5058b4b0268d772c5f58c8215987734113
SHA512 e85b74bd0e11ef737753e323a6f6a587da48feda162c87d048840c58721a6ef1be6462fa3a2e855c6a846ba45da7280b134935dbbf246807f0b662352bded0df

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 3acf4594268b3692d899f15ecc821d08
SHA1 b6d04bdc23ef556b709ceb3e231083303b9232a9
SHA256 d7d2115cd7724aca7b40554f8e58ab3786bc3d7f3093c3c8108bf98dcd073dd0
SHA512 8b15dfdc6436a071f86cd6f71ace9bd9829fbe5b8818479cfcafd6bd87675c07b9bb7ef9267a6c44ed1a7bf0a9162f297e1ca2a3a5efeaaa2397ab126391a49a

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 2b673985aae3c7a8fe4927404966a84f
SHA1 349e97ebee31aafb8046dd37ef2cf4812c36ce48
SHA256 723acfa9240ad38d92792afe7cc526ffa242f49d69724a64573a23ad823d4867
SHA512 13eaee9884bd08f467944c0c18bc0080eb53f5d74f08272f650ffd08a7abe8c8f8b2ce904abc26c000e2557b6e53bbf004d774a0ca5a6e0bbc625d64a6a38596

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 20e177c2d59e823eedee317eab5291ef
SHA1 6b1bd74fa53e2210d49c235c8fa4a58241dee962
SHA256 b5a656be042dc297c73cd2b1edee0aa833d04e45a73e0a624d6649691a3ff66f
SHA512 e5efea0a6afaf3fd48539bb15c5667e1c36dfa10df62140cb79c84ac0f799645d1d9edb5b23ee158d389fc92d6b781781c14332704c75c9fccaec936db64df43

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 950528c44009d2b635e960660b6cb20b
SHA1 d2ab938041e2b99a0a7002d9b5ee145553389a57
SHA256 08b4fdec80b523dc5dab2d07f49b105555b4571ebdc7dad0828241ee4b3bd74e
SHA512 ac268f4402022e0592db7a090c2dcc349a299456b3e5bbd5173d531578d877083d49c0a64a37ae09ebfa979ba4936d265f62f387452fc9661153d31f2eec2051

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 124c4f5fb578efcdd0c711c7b04256ff
SHA1 1b474e1514aa703161a93bda2a80840a42d6d6dc
SHA256 debc471babe633232c8427c12a7a2f532639fd83ab4922e1937065a4b50260a5
SHA512 f4861da8cb13c249050de37525ccc8376ef21f285be7eec3e28728ba666217f351d17f8bd99ff7474cd711f28e9fb3462672b92e269f70bd26ebb523cb0721ee

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 c1571d11eb250671a536738c4aa78965
SHA1 bf6b1ff64c7da031dd54da639c8389ace3f224ce
SHA256 5e08375748cacf62f247e535b4e5a8e5bd63a23e5bf44d45f0cfa3fe61dfdc88
SHA512 7294e890c6db022453d130aef99c66ca81c9bcdd340370e378214b4fad26014c18de2df42bf48dd23bdb66f9739600c10fffd20d93e18f794939757c4d9c6690

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 9053e2a2773e1573ffdcb5f795e80ff2
SHA1 69bf0208d0dc7f47fe51485fce6e25a08015fbc2
SHA256 44154bb54f8fbee6b9e471a1a4430d75a2c96f4b2103e8ff83eecd57c6b58fc1
SHA512 048287d4ba834d32408b4807221896d68378ef535db5a6c906af28a1ebdf0e071a2e8577bbc0575df8304553f503deccd3471a9b536d3475697629c51849194e

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 04:23

Reported

2024-10-31 04:30

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\windows\hosts.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\windows\hosts.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HGNBWBGW = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HGNBWBGW = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HGNBWBGW = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Windows\SysWOW64\REG.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\windows\hosts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
File opened for modification C:\Windows\hosts.exe C:\windows\hosts.exe N/A
File created C:\windows\W_X_C.vbs C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe N/A
File created \??\c:\windows\W_X_C.bat C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\hosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\REG.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
N/A N/A C:\windows\hosts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3392 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 3392 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 3392 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 3392 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 3392 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 3392 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 464 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 464 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 464 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 464 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 464 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 464 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2484 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2484 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 664 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 664 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 664 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2684 wrote to memory of 4580 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2684 wrote to memory of 4580 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2684 wrote to memory of 4580 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2684 wrote to memory of 3000 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 3000 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 3000 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 664 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 664 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 664 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2484 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2484 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2484 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3000 wrote to memory of 700 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 3000 wrote to memory of 700 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 3000 wrote to memory of 700 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 3000 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3000 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3000 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 464 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 464 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 464 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2684 wrote to memory of 1576 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2684 wrote to memory of 1576 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2684 wrote to memory of 1576 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 464 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 464 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 464 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2684 wrote to memory of 368 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2684 wrote to memory of 368 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2684 wrote to memory of 368 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 464 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 464 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 464 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2684 wrote to memory of 3848 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2684 wrote to memory of 3848 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2684 wrote to memory of 3848 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 464 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 464 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 464 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2684 wrote to memory of 4996 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2684 wrote to memory of 4996 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2684 wrote to memory of 4996 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\819de36e469867c9d6c6fdf84bcd9a9d_JaffaCakes118.exe"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\avscan.exe

MD5 b5436bb6df903f83779bedd3c168595a
SHA1 3fae3dc913f5247bafda3892587a63a4d0ea9815
SHA256 6c39ffa70d9994088d17894aa3f931e44b8a6815953d12058715c1aa93ea5580
SHA512 f20dd032a08a33e24630332347ae34c7eb76f3baa75995f0d7205d9070bacb3a4aa5e9b7412b9c95fe59815938548e311fe3eeffc5ed6d026a8b7cb21a98bdfd

C:\Windows\hosts.exe

MD5 56b2092fc836b2997bdf4830b2864a0f
SHA1 69d73c28c4af5ad1dcd969523551ca1a10c1c955
SHA256 b7ba6ca378593295ed8cdf0e2c8421b09cf47cceac8d32340666a8d46db8985b
SHA512 06ff9537e05050aea59accad658cf35c35a586bdf79c3ee814086c1de6e8e89aff220be4988c21cba5edf961364149b90aa02bc89545dadfbf0c0bfeb89197b7

\??\c:\windows\W_X_C.bat

MD5 4db9f8b6175722b62ececeeeba1ce307
SHA1 3b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256 d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA512 1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

C:\Windows\W_X_C.vbs

MD5 e1ad4129d5dc3012106832f1cbc4eac9
SHA1 7c205558c728906c8dcaa5843cd401460ef1ef20
SHA256 8197453abdc45c9231e84c5cb41001774165fdf9b884b46e5219ee620c231988
SHA512 ec8848d95654cb3679d74cb8168a46db69dec2963a56c5165ba4f196a6fc8a90cfc7c3adae2294ad0f0721a5e263d3d3aba0bb680efa1928ba55638dad77dcc1