Malware Analysis Report

2025-06-15 23:34

Sample ID 241031-tbhslayqhs
Target 8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118
SHA256 dcff17166a640b9230c5bc8f0eeeec4160f3f4ffff09e430a010c7d8ab67fc54
Tags
bootkit defense_evasion discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

dcff17166a640b9230c5bc8f0eeeec4160f3f4ffff09e430a010c7d8ab67fc54

Threat Level: Shows suspicious behavior

The file 8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit defense_evasion discovery persistence

Loads dropped DLL

Deletes itself

Executes dropped EXE

Indicator Removal: File Deletion

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 15:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 15:52

Reported

2024-10-31 15:57

Platform

win7-20241010-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\wuaucldt.exe N/A
N/A N/A \??\c:\users\admin\wuaucldt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\windows\\system32\\wuaucldt.exe" \??\c:\users\admin\wuaucldt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\users\\admin\\wuaucldt.exe" \??\c:\users\admin\wuaucldt.exe N/A

Indicator Removal: File Deletion

defense_evasion

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\wuaucldt.exe C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\wuaucldt.exe \??\c:\windows\SysWOW64\wuaucldt.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2492 set thread context of 3044 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\wuaucldt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\wuaucldt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe \??\c:\windows\SysWOW64\wuaucldt.exe
PID 2280 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe \??\c:\windows\SysWOW64\wuaucldt.exe
PID 2280 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe \??\c:\windows\SysWOW64\wuaucldt.exe
PID 2280 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe \??\c:\windows\SysWOW64\wuaucldt.exe
PID 2556 wrote to memory of 2492 N/A \??\c:\windows\SysWOW64\wuaucldt.exe \??\c:\users\admin\wuaucldt.exe
PID 2556 wrote to memory of 2492 N/A \??\c:\windows\SysWOW64\wuaucldt.exe \??\c:\users\admin\wuaucldt.exe
PID 2556 wrote to memory of 2492 N/A \??\c:\windows\SysWOW64\wuaucldt.exe \??\c:\users\admin\wuaucldt.exe
PID 2556 wrote to memory of 2492 N/A \??\c:\windows\SysWOW64\wuaucldt.exe \??\c:\users\admin\wuaucldt.exe
PID 2492 wrote to memory of 3044 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 2492 wrote to memory of 3044 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 2492 wrote to memory of 3044 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 2492 wrote to memory of 3044 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 2492 wrote to memory of 3044 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 2492 wrote to memory of 3044 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 2280 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2296 N/A \??\c:\windows\SysWOW64\wuaucldt.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2296 N/A \??\c:\windows\SysWOW64\wuaucldt.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2296 N/A \??\c:\windows\SysWOW64\wuaucldt.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2296 N/A \??\c:\windows\SysWOW64\wuaucldt.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe"

\??\c:\windows\SysWOW64\wuaucldt.exe

c:\windows\system32\wuaucldt.exe

\??\c:\users\admin\wuaucldt.exe

c:\users\admin\wuaucldt.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del c:\users\admin\appdata\local\temp\837866~1.EXE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del c:\windows\syswow64\wuaucldt.exe

Network

Country Destination Domain Proto
US 208.110.80.34:443 tcp
JP 115.125.150.227:443 tcp
UA 212.82.216.42:443 tcp
JP 122.219.252.105:443 tcp
UA 82.193.122.190:443 tcp
UA 195.214.214.53:443 tcp
UA 91.196.95.24:443 tcp
US 8.8.8.8:53 direct.ips.co.jp udp
US 8.8.8.8:53 www.epra udp
US 8.8.8.8:53 newsletter.go udp
US 8.8.8.8:53 isu2.tup.km.ua udp
US 8.8.8.8:53 www.billboxrecords.com.br udp
US 8.8.8.8:53 isu2.tup.km.ua udp
US 8.8.8.8:53 secure.fox udp
JP 202.218.13.170:443 direct.ips.co.jp tcp
JP 115.125.150.227:443 tcp
FR 217.182.53.72:443 isu2.tup.km.ua tcp
UA 212.111.198.59:443 tcp
FR 217.182.53.72:443 isu2.tup.km.ua tcp
US 140.177.205.56:443 tcp
JP 202.218.203.244:443 tcp
US 8.8.8.8:53 www.imagemfolheados.com.br udp
US 8.8.8.8:53 www.mlh.co.jp udp
US 204.74.99.100:443 www.mlh.co.jp tcp
BR 143.137.190.15:443 www.imagemfolheados.com.br tcp
US 8.8.8.8:53 www.guiaseshop.com.br udp
US 64.79.197.143:443 tcp
US 8.8.8.8:53 www.gsec.keio.ac.jp udp
UA 109.72.122.165:443 tcp
PL 193.23.48.228:443 tcp
US 8.8.8.8:53 rastu.com.ua udp
US 172.67.162.45:443 rastu.com.ua tcp
US 8.8.8.8:53 forums.ubuntulinux.jp udp
US 104.21.80.9:443 forums.ubuntulinux.jp tcp
JP 211.125.95.245:443 tcp
US 208.110.80.35:443 tcp
US 8.8.8.8:53 www.365.e-secom.jp udp
UA 77.120.121.35:443 tcp
JP 163.209.180.1:443 tcp
UA 109.72.122.165:443 tcp
UA 195.182.192.2:443 tcp
JP 202.218.13.230:443 tcp
JP 133.26.200.10:443 tcp
JP 202.218.203.244:443 tcp
JP 202.218.13.230:443 tcp
BR 143.137.190.15:443 www.imagemfolheados.com.br tcp
US 8.8.8.8:53 www.irt udp
UA 77.120.110.76:443 tcp
US 8.8.8.8:53 ex2.broadser udp
JP 203.79.51.228:443 tcp
UA 82.193.122.190:443 tcp
JP 210.165.4.71:443 tcp
US 8.8.8.8:53 hosting.cnrg.com.ua udp
US 8.8.8.8:53 www.myeclipseide.jp udp
DE 185.53.178.50:443 www.myeclipseide.jp tcp
US 8.8.8.8:53 cps-h3.ep.sci.hokudai.ac.jp udp
JP 210.171.131.16:443 tcp
US 8.8.8.8:53 ssl.form-mailer.jp udp
JP 219.99.163.174:443 ssl.form-mailer.jp tcp
US 8.8.8.8:53 www.treasuryislandcasino.com.ua udp
DE 37.1.197.107:443 www.treasuryislandcasino.com.ua tcp
US 8.8.8.8:53 cg.ces.kyutech.ac.jp udp
JP 202.214.40.79:443 tcp
UA 195.182.192.2:443 tcp
JP 211.125.95.245:443 tcp
JP 202.226.91.62:443 tcp
BR 201.20.45.207:443 tcp
US 208.110.80.36:443 tcp
US 8.8.8.8:53 www.science-forum.co.jp udp
BR 201.20.45.207:443 tcp
US 8.8.8.8:53 www.stone.co.ua udp
UA 77.120.99.240:443 tcp
US 8.8.8.8:53 www.aandd.jp udp
US 172.67.205.214:443 www.aandd.jp tcp
US 8.8.8.8:53 loja.tray.com.br udp
BR 177.67.115.135:443 loja.tray.com.br tcp
US 8.8.8.8:53 www.wolfram.co.jp udp
JP 210.157.5.25:443 tcp
US 74.125.87.69:443 tcp
US 140.177.9.54:443 www.wolfram.co.jp tcp
UA 109.72.122.165:443 tcp
BR 200.234.192.141:443 tcp
BR 200.143.10.165:443 tcp
US 8.8.8.8:53 www.okilogistics.co.jp udp
UA 212.82.216.42:443 tcp
JP 203.179.38.26:443 tcp
UA 109.72.122.165:443 tcp
UA 195.214.214.53:443 tcp
JP 61.120.56.37:443 tcp
US 8.8.8.8:53 apply.reedexpo.co.jp udp
IE 193.95.154.4:443 tcp
BR 201.20.45.207:443 tcp
US 8.8.8.8:53 www.rulez.org.ua udp
BR 200.234.192.141:443 tcp
US 69.10.37.190:443 tcp
US 140.177.205.56:443 tcp
BR 143.137.190.15:443 www.imagemfolheados.com.br tcp
BR 200.234.192.141:443 tcp
US 8.8.8.8:53 www.miltenyibiotec.co.jp udp
DE 45.87.158.7:443 www.miltenyibiotec.co.jp tcp
UA 77.120.110.76:443 tcp
UA 212.111.198.59:443 tcp
UA 91.203.146.30:443 tcp
US 8.8.8.8:53 ssl876.locaweb.com.br udp
BR 191.252.48.196:443 ssl876.locaweb.com.br tcp
PL 193.23.48.228:443 tcp
FR 217.182.53.72:443 isu2.tup.km.ua tcp
US 8.8.8.8:53 bookweb.kinokuniya.co.jp udp
US 8.8.8.8:53 form.cao.go.jp udp
JP 210.148.118.162:443 form.cao.go.jp tcp
JP 203.216.221.246:443 bookweb.kinokuniya.co.jp tcp
JP 164.46.227.120:443 tcp
US 8.8.8.8:53 center.umin.ac.jp udp
US 8.8.8.8:53 nodes.com.ua udp
DE 37.1.197.107:443 www.treasuryislandcasino.com.ua tcp
UA 79.171.122.236:443 tcp
US 8.8.8.8:53 spooky.cartoons.org.ua udp
US 69.72.149.166:443 tcp
FR 217.182.53.72:443 isu2.tup.km.ua tcp
US 8.8.8.8:53 bunker.org.ua udp
DE 116.202.13.71:443 bunker.org.ua tcp
BR 201.20.45.207:443 tcp
UA 109.72.122.165:443 tcp
DE 185.53.178.50:443 www.myeclipseide.jp tcp
JP 210.157.5.25:443 tcp
US 8.8.8.8:53 weather.co.ua udp
US 172.67.172.209:443 weather.co.ua tcp
US 69.72.149.166:443 tcp
FR 217.182.53.72:443 isu2.tup.km.ua tcp
DE 116.202.13.71:443 bunker.org.ua tcp
JP 222.146.58.38:443 tcp
US 69.10.37.191:443 tcp
US 8.8.8.8:53 www.iknow.co.jp udp
US 8.8.8.8:53 ssl.aukro.ua udp
NL 193.242.216.23:443 ssl.aukro.ua tcp
JP 202.218.13.170:443 direct.ips.co.jp tcp
UA 91.196.95.24:443 tcp
UA 82.193.122.190:443 tcp
JP 211.133.134.87:443 tcp
US 8.8.8.8:53 www.science-forum.co.jp udp
BR 177.67.115.135:443 loja.tray.com.br tcp
DE 37.1.197.107:443 www.treasuryislandcasino.com.ua tcp
UA 212.82.216.42:443 tcp
BR 143.137.190.15:443 www.imagemfolheados.com.br tcp
UA 213.186.115.36:443 tcp
US 69.57.128.35:443 tcp
UA 77.120.99.240:443 tcp
JP 203.79.51.228:443 tcp
UA 193.178.147.110:443 tcp
US 207.44.220.4:443 tcp
JP 203.216.221.246:443 bookweb.kinokuniya.co.jp tcp
DE 116.202.13.71:443 bunker.org.ua tcp
UA 195.182.192.2:443 tcp
US 8.8.8.8:53 global-host.com.ua udp
JP 131.206.55.11:443 tcp
NL 193.242.216.23:443 ssl.aukro.ua tcp
NL 87.239.184.105:443 tcp
US 140.177.205.56:443 tcp
US 69.57.128.35:443 tcp
US 207.44.220.4:443 tcp
US 8.8.8.8:53 www.marantz.jp udp
US 104.18.34.13:443 www.marantz.jp tcp
JP 202.218.170.179:443 tcp
US 69.10.37.192:443 tcp
UA 77.120.110.76:443 tcp
JP 219.99.163.174:443 ssl.form-mailer.jp tcp
JP 61.120.56.37:443 tcp
JP 219.99.163.174:443 ssl.form-mailer.jp tcp
US 8.8.8.8:53 loja.tray.com.br udp
BR 177.67.115.135:443 loja.tray.com.br tcp
US 64.41.142.74:443 tcp
US 8.8.8.8:53 k.jfc.go.jp udp
US 8.8.8.8:53 wow.merlin.org.ua udp
UA 193.138.146.141:443 wow.merlin.org.ua tcp
US 172.67.172.209:443 weather.co.ua tcp
US 8.8.8.8:53 www.ristex.jp udp
UA 91.203.146.30:443 tcp
JP 164.46.227.120:443 tcp
JP 202.218.203.244:443 tcp
US 64.131.68.169:443 tcp
JP 133.26.200.10:443 tcp
US 8.8.8.8:53 www.jica.go.jp udp
NL 108.156.60.57:443 www.jica.go.jp tcp
JP 202.214.40.79:443 tcp
US 172.67.205.214:443 www.aandd.jp tcp
US 172.67.172.209:443 weather.co.ua tcp
BR 201.20.45.207:443 tcp
US 204.13.248.107:443 tcp
US 104.18.34.13:443 www.marantz.jp tcp
US 69.72.149.166:443 tcp
JP 210.165.4.71:443 tcp
JP 118.67.65.194:443 tcp
US 173.45.90.66:443 tcp
US 173.45.90.67:443 tcp
JP 202.214.40.79:443 tcp
UA 82.193.122.190:443 tcp
US 173.45.90.68:443 tcp
US 64.79.197.143:443 tcp
DE 45.87.158.7:443 www.miltenyibiotec.co.jp tcp
JP 122.219.252.105:443 tcp
JP 125.53.25.30:443 tcp
US 8.8.8.8:53 masterkey.com.ua udp
DE 185.53.178.53:443 masterkey.com.ua tcp
JP 202.226.91.62:443 tcp
US 8.8.8.8:53 www.pirateparty.in.ua udp
JP 61.120.56.37:443 tcp
BR 143.137.190.15:443 www.imagemfolheados.com.br tcp
US 69.57.128.35:443 tcp
UA 195.182.192.2:443 tcp
DE 185.53.178.53:443 masterkey.com.ua tcp
JP 130.69.92.68:443 tcp
US 65.74.140.3:443 tcp
US 8.8.8.8:53 ssl.aukro.ua udp
NL 193.242.216.23:443 ssl.aukro.ua tcp
UA 193.178.147.110:443 tcp
UA 82.193.122.190:443 tcp
US 69.72.149.166:443 tcp
DE 45.87.158.7:443 www.miltenyibiotec.co.jp tcp

Files

memory/2280-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2280-1-0x0000000009000000-0x0000000009009000-memory.dmp

memory/2280-2-0x0000000009000000-0x0000000009009000-memory.dmp

memory/2280-3-0x0000000070000000-0x000000007000B000-memory.dmp

\Windows\SysWOW64\wuaucldt.exe

MD5 8378669bb680e8f9f1b119af478bd7f1
SHA1 5451fd915ff5c3a89a4c003e55122cd94fe985a5
SHA256 dcff17166a640b9230c5bc8f0eeeec4160f3f4ffff09e430a010c7d8ab67fc54
SHA512 edffe6511ea44485664cc553ab658b103fc5d012cbf8a94ef2759fc3f59ed6fcdbaf088617352645984d13eb2e1d8d737d2573e7e97befcc641f93b395ae32a9

memory/2280-13-0x00000000002D0000-0x00000000002DB000-memory.dmp

memory/2556-15-0x0000000009000000-0x0000000009009000-memory.dmp

memory/2492-27-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2556-26-0x0000000000250000-0x000000000025B000-memory.dmp

memory/2492-29-0x0000000070000000-0x000000007000B000-memory.dmp

memory/3044-34-0x0000000000080000-0x0000000000089000-memory.dmp

memory/3044-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3044-31-0x0000000000080000-0x0000000000089000-memory.dmp

memory/3044-36-0x0000000000080000-0x0000000000089000-memory.dmp

memory/3044-37-0x0000000000080000-0x0000000000089000-memory.dmp

memory/3044-40-0x0000000000080000-0x0000000000089000-memory.dmp

memory/3044-41-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2280-58-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 15:52

Reported

2024-10-31 15:58

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\wuaucldt.exe N/A
N/A N/A \??\c:\users\admin\wuaucldt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\windows\\system32\\wuaucldt.exe" \??\c:\users\admin\wuaucldt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\users\\admin\\wuaucldt.exe" \??\c:\users\admin\wuaucldt.exe N/A

Indicator Removal: File Deletion

defense_evasion

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\wuaucldt.exe C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\wuaucldt.exe \??\c:\windows\SysWOW64\wuaucldt.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3964 set thread context of 2244 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\wuaucldt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\wuaucldt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe \??\c:\windows\SysWOW64\wuaucldt.exe
PID 1248 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe \??\c:\windows\SysWOW64\wuaucldt.exe
PID 1248 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe \??\c:\windows\SysWOW64\wuaucldt.exe
PID 4780 wrote to memory of 3964 N/A \??\c:\windows\SysWOW64\wuaucldt.exe \??\c:\users\admin\wuaucldt.exe
PID 4780 wrote to memory of 3964 N/A \??\c:\windows\SysWOW64\wuaucldt.exe \??\c:\users\admin\wuaucldt.exe
PID 4780 wrote to memory of 3964 N/A \??\c:\windows\SysWOW64\wuaucldt.exe \??\c:\users\admin\wuaucldt.exe
PID 3964 wrote to memory of 2244 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 3964 wrote to memory of 2244 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 3964 wrote to memory of 2244 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 3964 wrote to memory of 2244 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 3964 wrote to memory of 2244 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 1248 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 3752 N/A \??\c:\windows\SysWOW64\wuaucldt.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 3752 N/A \??\c:\windows\SysWOW64\wuaucldt.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 3752 N/A \??\c:\windows\SysWOW64\wuaucldt.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8378669bb680e8f9f1b119af478bd7f1_JaffaCakes118.exe"

\??\c:\windows\SysWOW64\wuaucldt.exe

c:\windows\system32\wuaucldt.exe

\??\c:\users\admin\wuaucldt.exe

c:\users\admin\wuaucldt.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del c:\users\admin\appdata\local\temp\837866~1.EXE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del c:\windows\syswow64\wuaucldt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 208.110.80.34:443 tcp
JP 202.164.228.11:443 tcp
UA 62.149.23.110:443 tcp
UA 193.110.163.66:443 tcp
US 74.125.87.69:443 tcp
US 69.72.149.166:443 tcp
UA 91.203.146.30:443 tcp
UA 77.120.104.50:443 tcp
JP 202.218.170.179:443 tcp
JP 164.46.227.120:443 tcp
UA 212.82.216.42:443 tcp
US 8.8.8.8:53 secure.fox udp
US 8.8.8.8:53 www.wolfram.co.jp udp
US 8.8.8.8:53 cps-h3.ep.sci.hokudai.ac.jp udp
US 8.8.8.8:53 bookweb.kinokuniya.co.jp udp
N/A 10.127.0.246:443 tcp
BR 200.234.192.141:443 tcp
US 140.177.9.54:443 www.wolfram.co.jp tcp
UA 195.182.192.2:443 tcp
JP 203.216.221.246:443 bookweb.kinokuniya.co.jp tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 m-repo.lib.meiji.ac.jp udp
US 8.8.8.8:53 66.163.110.193.in-addr.arpa udp
US 8.8.8.8:53 11.228.164.202.in-addr.arpa udp
US 8.8.8.8:53 2.192.182.195.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 www.guiaseshop.com.br udp
US 8.8.8.8:53 isu2.tup.km.ua udp
JP 133.26.200.10:443 m-repo.lib.meiji.ac.jp tcp
FR 217.182.53.72:443 isu2.tup.km.ua tcp
US 8.8.8.8:53 itmedia.smartseminar.jp udp
US 8.8.8.8:53 form.cao.go.jp udp
NL 18.239.18.76:443 itmedia.smartseminar.jp tcp
JP 210.148.118.162:443 form.cao.go.jp tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 246.221.216.203.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.53.182.217.in-addr.arpa udp
US 8.8.8.8:53 76.18.239.18.in-addr.arpa udp
US 8.8.8.8:53 162.118.148.210.in-addr.arpa udp
US 8.8.8.8:53 bunker.org.ua udp
JP 211.125.95.245:443 tcp
US 35.212.176.11:443 bunker.org.ua tcp
US 69.57.128.35:443 tcp
JP 164.46.227.120:443 tcp
JP 125.53.25.30:443 tcp
US 8.8.8.8:53 11.176.212.35.in-addr.arpa udp
JP 202.218.170.179:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 65.74.140.3:443 tcp
US 208.110.80.35:443 tcp
US 207.44.220.4:443 tcp
US 8.8.8.8:53 www.stone.co.ua udp
US 8.8.8.8:53 forum.gryada.org.ua udp
UA 195.214.214.53:443 tcp
JP 131.206.55.11:443 tcp
UA 195.214.214.53:443 tcp
US 8.8.8.8:53 ss1.coressl.jp udp
US 8.8.8.8:53 www.miltenyibiotec.co.jp udp
DE 193.26.15.243:443 tcp
JP 210.165.4.71:443 tcp
DE 45.87.158.7:443 www.miltenyibiotec.co.jp tcp
JP 183.90.183.210:443 ss1.coressl.jp tcp
NL 87.239.184.105:443 tcp
US 8.8.8.8:53 210.183.90.183.in-addr.arpa udp
JP 122.219.252.105:443 tcp
US 8.8.8.8:53 www.jaif.or.jp udp
JP 150.60.251.193:443 www.jaif.or.jp tcp
UA 91.196.95.24:443 tcp
US 35.212.176.11:443 bunker.org.ua tcp
US 8.8.8.8:53 193.251.60.150.in-addr.arpa udp
JP 202.218.13.230:443 tcp
US 8.8.8.8:53 ssl.aukro.ua udp
NL 193.242.216.23:443 ssl.aukro.ua tcp
US 140.177.9.54:443 www.wolfram.co.jp tcp
US 8.8.8.8:53 www.epra udp
JP 222.146.58.38:443 tcp
US 8.8.8.8:53 direct.ips.co.jp udp
JP 202.218.13.170:443 direct.ips.co.jp tcp
US 8.8.8.8:53 23.216.242.193.in-addr.arpa udp
US 8.8.8.8:53 www.imagemfolheados.com.br udp
US 8.8.8.8:53 170.13.218.202.in-addr.arpa udp
BR 143.137.190.15:443 www.imagemfolheados.com.br tcp
JP 211.133.134.87:443 tcp
BR 201.20.45.207:443 tcp
US 8.8.8.8:53 15.190.137.143.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
UA 212.111.198.59:443 tcp
US 69.57.128.35:443 tcp
US 208.110.80.36:443 tcp
US 8.8.8.8:53 www.irt udp
BR 200.234.192.141:443 tcp
DE 193.26.15.243:443 tcp
UA 212.111.198.59:443 tcp
US 8.8.8.8:53 www.365.e-secom.jp udp
BR 177.67.115.135:443 loja.tray.com.br tcp
UA 193.110.163.66:443 tcp
UA 62.149.23.110:443 tcp
UA 91.196.95.24:443 tcp
JP 183.90.183.210:443 ss1.coressl.jp tcp
US 8.8.8.8:53 masterkey.com.ua udp
DE 185.53.178.53:443 masterkey.com.ua tcp
US 8.8.8.8:53 135.115.67.177.in-addr.arpa udp
FR 217.182.53.72:443 isu2.tup.km.ua tcp
JP 133.26.200.10:443 m-repo.lib.meiji.ac.jp tcp
JP 202.226.91.62:443 tcp
BR 200.143.10.165:443 tcp
US 8.8.8.8:53 53.178.53.185.in-addr.arpa udp
US 69.72.149.166:443 tcp
US 8.8.8.8:53 www.sextoy.com.br udp
US 147.182.196.237:443 www.sextoy.com.br tcp
JP 125.53.25.30:443 tcp
JP 163.209.180.1:443 tcp
US 8.8.8.8:53 237.196.182.147.in-addr.arpa udp
JP 202.218.13.170:443 direct.ips.co.jp tcp
US 8.8.8.8:53 www.saredrogarias.com.br udp
US 104.21.49.86:443 www.saredrogarias.com.br tcp
US 8.8.8.8:53 www.inde udp
UA 109.72.122.165:443 tcp
US 8.8.8.8:53 86.49.21.104.in-addr.arpa udp
BR 200.192.143.87:443 tcp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 69.10.37.190:443 tcp
UA 212.42.72.183:443 tcp
JP 163.209.180.1:443 tcp
US 8.8.8.8:53 ir.kagoshima-u.ac.jp udp
JP 202.218.170.179:443 tcp
JP 158.101.87.161:443 ir.kagoshima-u.ac.jp tcp
UA 62.149.23.110:443 tcp
UA 109.72.122.165:443 tcp
US 35.212.176.11:443 bunker.org.ua tcp
US 8.8.8.8:53 161.87.101.158.in-addr.arpa udp
BR 143.137.190.15:443 www.imagemfolheados.com.br tcp
US 104.21.49.86:443 www.saredrogarias.com.br tcp
JP 203.179.38.26:443 tcp
UA 62.149.23.110:443 tcp
UA 212.82.216.42:443 tcp
BR 200.143.10.165:443 tcp
FR 217.182.53.72:443 isu2.tup.km.ua tcp
US 8.8.8.8:53 www.aandd.jp udp
US 172.67.205.214:443 www.aandd.jp tcp
BR 201.20.45.207:443 tcp
US 8.8.8.8:53 214.205.67.172.in-addr.arpa udp
JP 202.218.13.170:443 direct.ips.co.jp tcp
US 8.8.8.8:53 www.stone.co.ua udp
US 8.8.8.8:53 nodes.com.ua udp
JP 158.101.87.161:443 ir.kagoshima-u.ac.jp tcp
US 8.8.8.8:53 www.epra udp
US 8.8.8.8:53 center.umin.ac.jp udp
US 8.8.8.8:53 www.guiaseshop.com.br udp
US 207.44.220.4:443 tcp
US 35.212.176.11:443 bunker.org.ua tcp
US 8.8.8.8:53 www.billboxrecords.com.br udp
JP 203.79.51.228:443 tcp
US 8.8.8.8:53 www.digimer.com.br udp
US 8.8.8.8:53 228.51.79.203.in-addr.arpa udp
NL 18.239.94.27:443 www.digimer.com.br tcp
US 8.8.8.8:53 www.okilogistics.co.jp udp
BR 200.143.10.165:443 tcp
UA 77.120.99.240:443 tcp
BR 201.76.41.87:443 tcp
US 8.8.8.8:53 27.94.239.18.in-addr.arpa udp
JP 131.206.55.11:443 tcp
US 69.10.37.191:443 tcp
JP 61.120.56.37:443 tcp
BR 177.67.115.135:443 loja.tray.com.br tcp
US 8.8.8.8:53 www.okilogistics.co.jp udp
JP 210.165.4.71:443 tcp
US 8.8.8.8:53 www.science-forum.co.jp udp
JP 163.209.180.1:443 tcp
JP 202.191.113.9:443 tcp
FR 217.182.53.72:443 isu2.tup.km.ua tcp
JP 210.157.5.25:443 tcp
US 8.8.8.8:53 www.myeclipseide.jp udp
DE 185.53.178.50:443 www.myeclipseide.jp tcp
US 8.8.8.8:53 www.epra udp
BR 201.20.45.207:443 tcp
US 8.8.8.8:53 www.rulez.org.ua udp
UA 77.120.99.240:443 tcp
JP 163.209.180.1:443 tcp
US 8.8.8.8:53 50.178.53.185.in-addr.arpa udp
JP 210.148.118.162:443 form.cao.go.jp tcp
US 8.8.8.8:53 newsletter.go udp
JP 115.125.150.227:443 tcp
DE 45.87.158.7:443 www.miltenyibiotec.co.jp tcp
US 8.8.8.8:53 www.imusica.com.br udp
NL 18.238.243.66:443 www.imusica.com.br tcp
US 8.8.8.8:53 66.243.238.18.in-addr.arpa udp
UA 193.178.147.110:443 tcp
US 8.8.8.8:53 k.jfc.go.jp udp
UA 109.72.122.165:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
BR 201.20.45.207:443 tcp
US 140.177.9.54:443 www.wolfram.co.jp tcp
US 8.8.8.8:53 shop.poziti udp
US 8.8.8.8:53 forum.gryada.org.ua udp
US 104.21.49.86:443 www.saredrogarias.com.br tcp
BR 201.20.45.207:443 tcp
US 8.8.8.8:53 hosting.cnrg.com.ua udp
US 8.8.8.8:53 www.iknow.co.jp udp
US 64.41.142.74:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 69.10.37.192:443 tcp
JP 202.218.111.122:443 tcp
UA 77.120.104.50:443 tcp
US 69.57.128.35:443 tcp
BR 200.143.10.165:443 tcp
JP 203.79.51.228:443 tcp
US 8.8.8.8:53 www.iknow.co.jp udp
UA 195.182.192.2:443 tcp
US 64.131.68.169:443 tcp
NL 18.238.243.66:443 www.imusica.com.br tcp
US 8.8.8.8:53 forum.gryada.org.ua udp
JP 122.219.252.105:443 tcp
UA 195.182.192.2:443 tcp
US 8.8.8.8:53 hosting.cnrg.com.ua udp
JP 115.125.150.227:443 tcp
US 8.8.8.8:53 spooky.cartoons.org.ua udp
US 8.8.8.8:53 www.science-forum.co.jp udp
JP 210.148.118.162:443 form.cao.go.jp tcp
UA 82.193.122.190:443 tcp
JP 158.101.87.161:443 ir.kagoshima-u.ac.jp tcp
US 8.8.8.8:53 www.epra udp
US 35.212.176.11:443 bunker.org.ua tcp
JP 202.218.13.230:443 tcp
JP 211.125.95.245:443 tcp
UA 91.203.146.30:443 tcp
BR 200.234.192.141:443 tcp
JP 125.53.25.30:443 tcp
JP 183.90.183.210:443 ss1.coressl.jp tcp
JP 203.180.136.89:443 tcp
US 8.8.8.8:53 www.jica.go.jp udp
NL 108.156.60.40:443 www.jica.go.jp tcp
US 8.8.8.8:53 40.60.156.108.in-addr.arpa udp
DE 45.87.158.7:443 www.miltenyibiotec.co.jp tcp
BR 143.137.190.15:443 www.imagemfolheados.com.br tcp
US 8.8.8.8:53 www.inde udp
US 8.8.8.8:53 www.pirateparty.in.ua udp
NL 108.156.60.40:443 www.jica.go.jp tcp
US 8.8.8.8:53 www.kajima.co.jp udp
JP 202.241.202.159:443 www.kajima.co.jp tcp
JP 210.148.118.162:443 form.cao.go.jp tcp
US 8.8.8.8:53 159.202.241.202.in-addr.arpa udp
BR 201.20.45.207:443 tcp
US 173.45.90.66:443 tcp
N/A 10.127.0.246:443 tcp
US 173.45.90.67:443 tcp
US 8.8.8.8:53 66.90.45.173.in-addr.arpa udp
US 8.8.8.8:53 www.treasuryislandcasino.com.ua udp
DE 37.1.197.107:443 www.treasuryislandcasino.com.ua tcp
US 8.8.8.8:53 www.epra udp
NL 87.239.184.105:443 tcp
US 8.8.8.8:53 107.197.1.37.in-addr.arpa udp
UA 193.178.147.110:443 tcp
US 35.212.176.11:443 bunker.org.ua tcp
JP 202.218.111.122:443 tcp
US 8.8.8.8:53 hosting.cnrg.com.ua udp
DE 37.1.197.107:443 www.treasuryislandcasino.com.ua tcp
US 69.72.149.166:443 tcp
JP 210.148.118.162:443 form.cao.go.jp tcp
US 8.8.8.8:53 weather.co.ua udp
US 172.67.172.209:443 weather.co.ua tcp
JP 202.226.91.62:443 tcp
US 173.45.90.68:443 tcp
UA 77.120.110.76:443 tcp
US 8.8.8.8:53 209.172.67.172.in-addr.arpa udp
JP 163.209.180.1:443 tcp
US 104.21.49.86:443 www.saredrogarias.com.br tcp
US 172.67.172.209:443 weather.co.ua tcp
JP 210.157.5.25:443 tcp
US 204.13.248.107:443 tcp
UA 62.149.23.110:443 tcp
JP 210.171.131.16:443 tcp
JP 131.113.221.138:443 tcp
UA 193.178.147.110:443 tcp
US 8.8.8.8:53 www.stone.co.ua udp
US 8.8.8.8:53 www.epra udp
JP 158.101.87.161:443 ir.kagoshima-u.ac.jp tcp
BR 200.234.192.141:443 tcp
UA 195.214.214.53:443 tcp
JP 125.53.25.30:443 tcp

Files

memory/1248-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1248-1-0x0000000009000000-0x0000000009009000-memory.dmp

memory/1248-3-0x0000000070000000-0x000000007000B000-memory.dmp

memory/1248-2-0x0000000009000000-0x0000000009009000-memory.dmp

\??\c:\windows\SysWOW64\wuaucldt.exe

MD5 8378669bb680e8f9f1b119af478bd7f1
SHA1 5451fd915ff5c3a89a4c003e55122cd94fe985a5
SHA256 dcff17166a640b9230c5bc8f0eeeec4160f3f4ffff09e430a010c7d8ab67fc54
SHA512 edffe6511ea44485664cc553ab658b103fc5d012cbf8a94ef2759fc3f59ed6fcdbaf088617352645984d13eb2e1d8d737d2573e7e97befcc641f93b395ae32a9

memory/4780-9-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3964-17-0x0000000070000000-0x000000007000B000-memory.dmp

memory/2244-19-0x0000000000DF0000-0x0000000000DF9000-memory.dmp

memory/2244-20-0x0000000000DF0000-0x0000000000DF9000-memory.dmp

memory/2244-21-0x0000000000DF0000-0x0000000000DF9000-memory.dmp

memory/2244-24-0x0000000000DF0000-0x0000000000DF9000-memory.dmp

memory/2244-25-0x0000000000DF0000-0x0000000000DF9000-memory.dmp

memory/2244-26-0x0000000000DF0000-0x0000000000DF9000-memory.dmp

memory/1248-57-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1248-58-0x0000000070000000-0x000000007000B000-memory.dmp

memory/4780-61-0x0000000070000000-0x000000007000B000-memory.dmp