Malware Analysis Report

2025-08-05 11:48

Sample ID 241031-f6txfssmfk
Target 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118
SHA256 ec454237d6fe71ad3987df75978e44ae5bc4cb08687358a1f27a4b88c221e9a5
Tags
upx defense_evasion discovery evasion persistence trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ec454237d6fe71ad3987df75978e44ae5bc4cb08687358a1f27a4b88c221e9a5

Threat Level: Likely malicious

The file 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

upx defense_evasion discovery evasion persistence trojan

Event Triggered Execution: Image File Execution Options Injection

Executes dropped EXE

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Indicator Removal: File Deletion

Checks for any installed AV software in registry

Adds Run key to start application

Checks whether UAC is enabled

Indicator Removal: Clear Persistence

Enumerates connected drives

UPX packed file

Drops file in System32 directory

Drops autorun.inf file

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 05:29

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 05:29

Reported

2024-10-31 05:32

Platform

win7-20241023-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe"

Signatures

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\com\lsass.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
N/A N/A C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\com\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\com\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\com\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\com\smss.exe N/A
N/A N/A C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService C:\Windows\SysWOW64\com\lsass.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\com\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\com\lsass.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\SysWOW64\com\lsass.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\com\lsass.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\com\lsass.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification D:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification \??\E:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\com\bak C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\com\smss.exe C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\com\smss.exe \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
File created C:\Windows\SysWOW64\com\netcfg.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification \??\c:\windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\smss.exe C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\com\netcfg.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\259439006.log C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\dnsq.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\smss.exe \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
File created C:\Windows\SysWOW64\259439006.log C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\lsass.exe \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
File created C:\Windows\SysWOW64\com\lsass.exe \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
File created C:\Windows\SysWOW64\00302.log C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\smss.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\netcfg.000 C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\00302.log C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\00302.log \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
File created C:\Windows\SysWOW64\com\netcfg.000 C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\dnsq.dll C:\Windows\SysWOW64\com\lsass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\com\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\com\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\com\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\com\lsass.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} C:\Windows\SysWOW64\regsvr32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\com\lsass.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2312 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2312 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2312 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2312 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2312 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2312 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2312 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 2312 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 2380 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 2380 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 2380 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 2312 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log
PID 2312 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log
PID 2312 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log
PID 2312 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log
PID 2420 wrote to memory of 2932 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2932 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2932 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2932 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2828 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2420 wrote to memory of 2828 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2420 wrote to memory of 2828 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2420 wrote to memory of 2828 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2420 wrote to memory of 2792 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2420 wrote to memory of 2792 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2420 wrote to memory of 2792 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2420 wrote to memory of 2792 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2420 wrote to memory of 2916 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2420 wrote to memory of 2916 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2420 wrote to memory of 2916 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2420 wrote to memory of 2916 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2420 wrote to memory of 1780 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2420 wrote to memory of 1780 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2420 wrote to memory of 1780 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2420 wrote to memory of 1780 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 2420 wrote to memory of 2856 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2856 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2856 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2856 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2684 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2684 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2684 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2684 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2760 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2760 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2760 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2760 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 2760 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 2760 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 2760 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 2420 wrote to memory of 2320 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2420 wrote to memory of 2320 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2420 wrote to memory of 2320 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 2420 wrote to memory of 2320 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe

Processes

C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe^|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log

\??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log

"c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.~^|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.~|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe

C:\Windows\SysWOW64\com\lsass.exe

"C:\Windows\system32\com\lsass.exe"

C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe

"C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\com\lsass.exe

^c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s

C:\Windows\SysWOW64\com\smss.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|C:\pagefile.pif"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|C:\pagefile.pif

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|E:\pagefile.pif"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|E:\pagefile.pif

C:\Windows\SysWOW64\ping.exe

ping.exe -f -n 1 www.baidu.com

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x530

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 js.k0102.com udp
DE 185.53.179.173:80 js.k0102.com tcp
US 8.8.8.8:53 d38psrni17bvxu.cloudfront.net udp
NL 18.239.102.57:80 d38psrni17bvxu.cloudfront.net tcp
US 8.8.8.8:53 ifdnzact.com udp
US 208.91.196.46:80 ifdnzact.com tcp

Files

memory/2312-0-0x0000000000400000-0x000000000042C000-memory.dmp

\Windows\SysWOW64\com\smss.exe

MD5 2c5834f823066354d9e92396ecaca50d
SHA1 37647491c08aa2ec6d07cf805b0eabd978869f11
SHA256 b94c93730d8031b0391e6934f3da705bfca14080238c3070f032ff4cea6b1657
SHA512 ac3d1b1b7235e89bf5169822a250710ef61004cdaaf0e1c6c4d766dcf63223630ba81a613f0fed9b467f2c987735ec842eaef3ed53c67d3ff10563e26bc822b7

\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log

MD5 81c9f59d59f47adb56dcd644fe8ad3c2
SHA1 b531fd2e38e70b3f0affb73f127cb62a0fc32ca6
SHA256 ec454237d6fe71ad3987df75978e44ae5bc4cb08687358a1f27a4b88c221e9a5
SHA512 c893784f3b08553665470d375647b2a50de9ca3b8bbdba039624589d393772cba4b1ae65710c9f319408edf3301c1e8577503511c26a38ae3ebb814db665a05b

memory/2312-15-0x0000000000400000-0x000000000042C000-memory.dmp

\??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.~

MD5 7b400627a528576c184a8e6ae2567cc0
SHA1 dcfa5e31be92429157c74be7e474907bbd75b102
SHA256 e31ee78f5c6144ded9f415475facf94575add9c806ec0cac8e2486ae04b82c1a
SHA512 5fdc94a4f4728de943e6b542305ffa6a891dcf5e80f167e9d70f0173b25311c401a122f47e286b151b02128a04073979a3cd6ccd09bdab51bcfd6915e7757d8a

memory/2420-28-0x0000000002F40000-0x0000000002F6C000-memory.dmp

\Windows\SysWOW64\com\lsass.exe

MD5 dca33e599ab160c3a70099e428b28e6a
SHA1 9cc19e802cbceb384697ca83f8fc91b15df097a4
SHA256 83ebe1a34e60f5ccbbbbd8d75e0d74e269e23355f50b8d677b0851e8eb0183fd
SHA512 bd0d6dd9e5442d61e3576751d6f17ffb7109ff5092d8ac038a4090f443f80f9a20436dd5346e36889e97202436b07828552c1f651d77b24748d1d563117fcdb2

memory/2320-36-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2420-47-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1728-51-0x0000000000400000-0x000000000042C000-memory.dmp

C:\NetApi000.sys

MD5 116b07e8887181880fad6c1145f8dc58
SHA1 e87acb06caa8fca981069e5cf5005cc9c74e5ce7
SHA256 454c8307648871a7db0aa79cd2d3e671e1234dcb87f42c593fa841ae9e881cca
SHA512 8da5c36dbf296b91f46ebf1d64918a48a59cfe45dee0588f5cc40e6805bd13310ebee39b735a66b7165ac74deb99bcaa2f761eef8678a295eabd17f5437c1cc6

C:\Windows\SysWOW64\com\netcfg.000

MD5 f527f2633493d985fb77a348c8e9e723
SHA1 83a3fbfa3eba9a435399707f7b83eda4b93d69ec
SHA256 e2cd4430ae2646e6a9bb5206670623bc6c693da322c7402b5c08e1c1c1de7258
SHA512 d2dc84335a2fd1a72b583edfe4bfead2247bef4b116f3419f59441f69590c81a58e453f73a1d0b51c4754fc0dbdbb03490ab03fc865bd3dc825361e0a786aab0

\Windows\SysWOW64\dnsq.dll

MD5 46e993717175142dcdffbdd53e30ca9d
SHA1 f57d052deb71a4a44aeb9d1efa0d4a9d70f0538e
SHA256 c53a1e2142e9d9019021298df808ad7d8378a9545274ef511151407853dd0fd3
SHA512 4ea6228beaf4ba09e9908f844a4e7fb1b406e427ae5d5a96bc577d6fab56c4e8672ae40c6af7aa83d8611b3f23b6d2355dd7c69fbada61e716862be78e2d5b3b

memory/2320-72-0x0000000010000000-0x0000000010018000-memory.dmp

memory/632-83-0x0000000010000000-0x0000000010010000-memory.dmp

memory/2320-95-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2044-100-0x0000000010000000-0x0000000010018000-memory.dmp

memory/2044-99-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2320-104-0x0000000010000000-0x0000000010018000-memory.dmp

memory/2320-105-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2524-107-0x0000000010000000-0x0000000010018000-memory.dmp

memory/2320-109-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2320-112-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2320-115-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2320-118-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2320-121-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2320-124-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2320-127-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2320-130-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2320-133-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2320-136-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2320-139-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2320-147-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2320-150-0x0000000000400000-0x000000000042C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 05:29

Reported

2024-10-31 05:32

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe"

Signatures

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\com\lsass.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\com\lsass.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService C:\Windows\SysWOW64\com\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\com\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\com\lsass.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\SysWOW64\com\lsass.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\com\lsass.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\SysWOW64\com\lsass.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification D:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification \??\E:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\AUTORUN.INF C:\Windows\SysWOW64\com\lsass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\com\smss.exe C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\com\lsass.exe \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
File opened for modification \??\c:\windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\dnsq.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\bak C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\smss.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\240628688.log C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\dnsq.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\netcfg.000 C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\com\netcfg.000 C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\com\netcfg.dll C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\00302.log C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\com\smss.exe C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\00302.log \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
File opened for modification C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\com\lsass.exe N/A
File created C:\Windows\SysWOW64\240628688.log C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\smss.exe \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
File created C:\Windows\SysWOW64\com\lsass.exe \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
File created C:\Windows\SysWOW64\00302.log C:\Windows\SysWOW64\com\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\com\netcfg.dll C:\Windows\SysWOW64\com\lsass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\com\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\com\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\com\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\com\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\com\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3536 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 3536 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 3536 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 3536 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 3536 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 3536 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 3536 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 5028 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 5028 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 3536 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log
PID 3536 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log
PID 3536 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log
PID 1648 wrote to memory of 4984 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 4984 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 4984 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 4616 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 1648 wrote to memory of 4616 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 1648 wrote to memory of 4616 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 1648 wrote to memory of 1736 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 1648 wrote to memory of 1736 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 1648 wrote to memory of 1736 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 1648 wrote to memory of 4676 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 1648 wrote to memory of 4676 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 1648 wrote to memory of 4676 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 1648 wrote to memory of 3040 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 1648 wrote to memory of 3040 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 1648 wrote to memory of 3040 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cacls.exe
PID 1648 wrote to memory of 3884 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 3884 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 3884 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 4208 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 4208 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 4208 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 4816 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 4816 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 4816 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 1076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 4816 wrote to memory of 1076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 4816 wrote to memory of 1076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\com\smss.exe
PID 1648 wrote to memory of 4860 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 1648 wrote to memory of 4860 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 1648 wrote to memory of 4860 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 1648 wrote to memory of 2912 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe
PID 1648 wrote to memory of 2912 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe
PID 1648 wrote to memory of 2912 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe
PID 1648 wrote to memory of 1172 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 1648 wrote to memory of 1172 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 1648 wrote to memory of 1172 N/A \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log C:\Windows\SysWOW64\com\lsass.exe
PID 4860 wrote to memory of 2200 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 2200 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 2200 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 2512 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 2512 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 2512 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 1948 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 4860 wrote to memory of 1948 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 4860 wrote to memory of 1948 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe
PID 4860 wrote to memory of 1684 N/A C:\Windows\SysWOW64\com\lsass.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe^|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log

\??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log

"c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.~^|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.~|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe

C:\Windows\SysWOW64\com\lsass.exe

"C:\Windows\system32\com\lsass.exe"

C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe

"C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe"

C:\Windows\SysWOW64\com\lsass.exe

^c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ok

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s

C:\Windows\SysWOW64\com\smss.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|C:\pagefile.pif"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|C:\pagefile.pif

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|E:\pagefile.pif"

C:\Windows\SysWOW64\com\smss.exe

C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|E:\pagefile.pif

C:\Windows\SysWOW64\ping.exe

ping.exe -f -n 1 www.baidu.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 js.k0102.com udp
DE 185.53.179.173:80 js.k0102.com tcp
US 8.8.8.8:53 d38psrni17bvxu.cloudfront.net udp
NL 18.239.102.95:80 d38psrni17bvxu.cloudfront.net tcp
US 8.8.8.8:53 ifdnzact.com udp
US 208.91.196.46:80 ifdnzact.com tcp
US 8.8.8.8:53 173.179.53.185.in-addr.arpa udp
US 8.8.8.8:53 95.102.239.18.in-addr.arpa udp
US 8.8.8.8:53 46.196.91.208.in-addr.arpa udp

Files

memory/3536-0-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Windows\SysWOW64\Com\smss.exe

MD5 2c5834f823066354d9e92396ecaca50d
SHA1 37647491c08aa2ec6d07cf805b0eabd978869f11
SHA256 b94c93730d8031b0391e6934f3da705bfca14080238c3070f032ff4cea6b1657
SHA512 ac3d1b1b7235e89bf5169822a250710ef61004cdaaf0e1c6c4d766dcf63223630ba81a613f0fed9b467f2c987735ec842eaef3ed53c67d3ff10563e26bc822b7

\??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log

MD5 81c9f59d59f47adb56dcd644fe8ad3c2
SHA1 b531fd2e38e70b3f0affb73f127cb62a0fc32ca6
SHA256 ec454237d6fe71ad3987df75978e44ae5bc4cb08687358a1f27a4b88c221e9a5
SHA512 c893784f3b08553665470d375647b2a50de9ca3b8bbdba039624589d393772cba4b1ae65710c9f319408edf3301c1e8577503511c26a38ae3ebb814db665a05b

memory/3536-13-0x0000000000400000-0x000000000042C000-memory.dmp

\??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.~

MD5 7b400627a528576c184a8e6ae2567cc0
SHA1 dcfa5e31be92429157c74be7e474907bbd75b102
SHA256 e31ee78f5c6144ded9f415475facf94575add9c806ec0cac8e2486ae04b82c1a
SHA512 5fdc94a4f4728de943e6b542305ffa6a891dcf5e80f167e9d70f0173b25311c401a122f47e286b151b02128a04073979a3cd6ccd09bdab51bcfd6915e7757d8a

memory/4860-28-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Windows\SysWOW64\Com\lsass.exe

MD5 dca33e599ab160c3a70099e428b28e6a
SHA1 9cc19e802cbceb384697ca83f8fc91b15df097a4
SHA256 83ebe1a34e60f5ccbbbbd8d75e0d74e269e23355f50b8d677b0851e8eb0183fd
SHA512 bd0d6dd9e5442d61e3576751d6f17ffb7109ff5092d8ac038a4090f443f80f9a20436dd5346e36889e97202436b07828552c1f651d77b24748d1d563117fcdb2

memory/1648-32-0x0000000000400000-0x000000000042C000-memory.dmp

C:\NetApi000.sys

MD5 116b07e8887181880fad6c1145f8dc58
SHA1 e87acb06caa8fca981069e5cf5005cc9c74e5ce7
SHA256 454c8307648871a7db0aa79cd2d3e671e1234dcb87f42c593fa841ae9e881cca
SHA512 8da5c36dbf296b91f46ebf1d64918a48a59cfe45dee0588f5cc40e6805bd13310ebee39b735a66b7165ac74deb99bcaa2f761eef8678a295eabd17f5437c1cc6

memory/1172-37-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Windows\SysWOW64\Com\netcfg.000

MD5 f527f2633493d985fb77a348c8e9e723
SHA1 83a3fbfa3eba9a435399707f7b83eda4b93d69ec
SHA256 e2cd4430ae2646e6a9bb5206670623bc6c693da322c7402b5c08e1c1c1de7258
SHA512 d2dc84335a2fd1a72b583edfe4bfead2247bef4b116f3419f59441f69590c81a58e453f73a1d0b51c4754fc0dbdbb03490ab03fc865bd3dc825361e0a786aab0

memory/4860-55-0x0000000010000000-0x0000000010018000-memory.dmp

C:\Windows\SysWOW64\dnsq.dll

MD5 46e993717175142dcdffbdd53e30ca9d
SHA1 f57d052deb71a4a44aeb9d1efa0d4a9d70f0538e
SHA256 c53a1e2142e9d9019021298df808ad7d8378a9545274ef511151407853dd0fd3
SHA512 4ea6228beaf4ba09e9908f844a4e7fb1b406e427ae5d5a96bc577d6fab56c4e8672ae40c6af7aa83d8611b3f23b6d2355dd7c69fbada61e716862be78e2d5b3b

memory/736-64-0x0000000010000000-0x0000000010010000-memory.dmp

memory/2912-66-0x0000000010000000-0x0000000010018000-memory.dmp

memory/2912-73-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2912-74-0x0000000010000000-0x0000000010018000-memory.dmp

memory/4860-75-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4860-80-0x0000000010000000-0x0000000010018000-memory.dmp

memory/4860-81-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2464-83-0x0000000010000000-0x0000000010018000-memory.dmp

memory/4860-85-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4860-88-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4860-91-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4860-94-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4860-97-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4860-100-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4860-103-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4860-106-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4860-109-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4860-112-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4860-115-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4860-122-0x0000000000400000-0x000000000042C000-memory.dmp