Malware Analysis Report

2025-01-03 07:38

Sample ID 241127-jrxlks1ner
Target a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118
SHA256 2183dd8a07c328ff41cf8fedc06bdc9ec8166d6c11691cb6d379899318d8e555
Tags
a310logger blustealer collection discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2183dd8a07c328ff41cf8fedc06bdc9ec8166d6c11691cb6d379899318d8e555

Threat Level: Known bad

The file a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

a310logger blustealer collection discovery spyware stealer

A310logger family

Blustealer family

A310logger

BluStealer

A310logger Executable

Checks computer location settings

Executes dropped EXE

Reads WinSCP keys stored on the system

Reads local data of messenger clients

Reads user/profile data of web browsers

Loads dropped DLL

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

outlook_office_path

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 07:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 07:54

Reported

2024-11-27 07:57

Platform

win7-20240903-en

Max time kernel

134s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe"

Signatures

A310logger

stealer spyware a310logger

A310logger family

a310logger

BluStealer

stealer blustealer

Blustealer family

blustealer

A310logger Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2408 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2408 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2408 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2408 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2408 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2408 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2408 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2408 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2408 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2408 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2408 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2408 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2616 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
PID 2616 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
PID 2616 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
PID 2616 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LEjGKtEzH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6519.tmp"

C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 mail.masarprecast.com udp
US 135.148.103.173:587 mail.masarprecast.com tcp

Files

memory/2408-3-0x0000000000430000-0x0000000000446000-memory.dmp

memory/2408-2-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/2408-1-0x0000000000D70000-0x0000000000E5C000-memory.dmp

memory/2408-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

memory/2408-4-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

memory/2408-5-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/2408-6-0x00000000082E0000-0x00000000083AE000-memory.dmp

memory/2408-7-0x0000000005E00000-0x0000000005E62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6519.tmp

MD5 6f66ca4c5d6a157b994ae7d80d569140
SHA1 1745fcf60cc002a84398586b56baa6d1be91285d
SHA256 ed68779478d88f4c7e336889c9f2589ed8980df9136b81b730421d90fc59442a
SHA512 0fbc610904a54f638f6819eef532b3c7dbdfbf68473354af73d85adfc36b61ba756bfe19db414f28989c509b5ed988a2e13e58ea6318d6463c43f769e30a22a2

memory/2616-13-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2408-27-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/2616-25-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2616-21-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2616-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2616-17-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2616-15-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\LNDZL4~1.ZIP

MD5 40a9752d59f2883e40d928f85a749008
SHA1 c60fb58eff64a7969b46f3934766f991352eeb47
SHA256 ef95540ec8dae3d255439fb847d26397c265b5cccda5ed0d6b9ed3dda14a2820
SHA512 ce33985f91103315accb1039635488d7e144df264bab8e164c1f9844ce6923e1c9c76349f14542901887ffcbbbca40b92cf474126f0b94893e8af1f608464b3c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

MD5 91b41651e6e9ab352805c6d35a297d08
SHA1 11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e
SHA256 0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723
SHA512 b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892

memory/2948-58-0x0000000000890000-0x0000000000942000-memory.dmp

memory/2616-60-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 07:54

Reported

2024-11-27 07:57

Platform

win10v2004-20241007-en

Max time kernel

130s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe"

Signatures

A310logger

stealer spyware a310logger

A310logger family

a310logger

BluStealer

stealer blustealer

Blustealer family

blustealer

A310logger Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2940 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2940 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2940 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2940 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2940 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2940 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2940 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2940 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2940 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2940 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2940 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2940 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 2940 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe
PID 3972 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
PID 3972 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LEjGKtEzH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4978.tmp"

C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a6c09767f7b9b02156bd3e4f67764e79_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 mail.masarprecast.com udp
US 135.148.103.173:587 mail.masarprecast.com tcp
US 8.8.8.8:53 173.103.148.135.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2940-0-0x0000000074E2E000-0x0000000074E2F000-memory.dmp

memory/2940-1-0x0000000000540000-0x000000000062C000-memory.dmp

memory/2940-2-0x0000000005030000-0x00000000050CC000-memory.dmp

memory/2940-3-0x0000000005680000-0x0000000005C24000-memory.dmp

memory/2940-4-0x00000000050D0000-0x0000000005162000-memory.dmp

memory/2940-5-0x0000000004FD0000-0x0000000004FDA000-memory.dmp

memory/2940-6-0x00000000052F0000-0x0000000005346000-memory.dmp

memory/2940-7-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/2940-8-0x0000000007FF0000-0x0000000008006000-memory.dmp

memory/2940-9-0x0000000074E2E000-0x0000000074E2F000-memory.dmp

memory/2940-10-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/2940-11-0x00000000085A0000-0x000000000866E000-memory.dmp

memory/2940-12-0x000000000AD40000-0x000000000ADA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4978.tmp

MD5 1eb342e3e07d96d212eae376dc86242e
SHA1 ac078c97019b104b333e054c04660cc22553a556
SHA256 674f2e93b6784bc89ed169696dd7f936b7db6b040a2f07c38a39c66476958a44
SHA512 e5e8d3a951be484e839b165fc8aeca0fbbccf096e579ab78a7fed8918e346b55f30c3be075fc3b3d9fba556258134bbb0365f5d50a973a6ec95da07a71db96be

memory/3972-18-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3972-20-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2940-24-0x0000000074E20000-0x00000000755D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\K3UVUTFFLH.zip

MD5 40a9752d59f2883e40d928f85a749008
SHA1 c60fb58eff64a7969b46f3934766f991352eeb47
SHA256 ef95540ec8dae3d255439fb847d26397c265b5cccda5ed0d6b9ed3dda14a2820
SHA512 ce33985f91103315accb1039635488d7e144df264bab8e164c1f9844ce6923e1c9c76349f14542901887ffcbbbca40b92cf474126f0b94893e8af1f608464b3c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

MD5 91b41651e6e9ab352805c6d35a297d08
SHA1 11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e
SHA256 0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723
SHA512 b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892

memory/3208-54-0x0000000000B60000-0x0000000000C12000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt

MD5 055c857272026583a61e1b5821c69a24
SHA1 ec39d34f16487682801dd2b319554cbed57feca4
SHA256 190db16bb64995e3bdea04b9e6fc1994dacfea3253a7559732205b1d41362b84
SHA512 d7833c4651683e95959107e05b07b60d2e963b9fbecd0106b329e2087d1dfc9aedb962b334e22b6b462699cbce86097d4d50ce5d1310ad098e3531efaa4e204b

memory/3972-64-0x0000000000400000-0x000000000045B000-memory.dmp