Malware Analysis Report

2025-01-18 16:41

Sample ID 241212-1xjqca1jeq
Target e87a68565079ec9337b38daf24abb7ed_JaffaCakes118
SHA256 0734e46043e3b7a82176386c4c8d5f572fb9673c94d4047a370a25c1035c87ce
Tags
isrstealer collection discovery spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0734e46043e3b7a82176386c4c8d5f572fb9673c94d4047a370a25c1035c87ce

Threat Level: Known bad

The file e87a68565079ec9337b38daf24abb7ed_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

isrstealer collection discovery spyware stealer trojan upx

ISR Stealer

Isrstealer family

ISR Stealer payload

NirSoft MailPassView

Detected Nirsoft tools

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

UPX packed file

Drops file in Windows directory

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-12 22:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-12 22:01

Reported

2024-12-12 22:04

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Isrstealer family

isrstealer

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2368 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2368 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2368 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2368 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2368 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2368 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2368 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2428 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2428 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2428 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2428 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2428 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2428 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2428 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2428 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2428 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\intreheq\pingoere.exe.lnk " /f

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\oTaND3jSdy.ini"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\FWu9P5MZ1s.ini"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.lineamamamababy.com udp

Files

memory/2368-0-0x0000000074011000-0x0000000074012000-memory.dmp

memory/2368-1-0x0000000074010000-0x00000000745BB000-memory.dmp

memory/2368-2-0x0000000074010000-0x00000000745BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\intreheq\pingoere.exe

MD5 e87a68565079ec9337b38daf24abb7ed
SHA1 37cc35d9cdf9b1b372c9b6798fc01fa4b320639c
SHA256 0734e46043e3b7a82176386c4c8d5f572fb9673c94d4047a370a25c1035c87ce
SHA512 6f3f6ba6f26f10b942db0d002487f356bdc9045cf312d46a55b7f31343eac9599be43bb8eb2fd35cae9ca3a2fa895384fc88f3d97780fad33d9b866c08c8eb23

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 0f01571a3e4c71eb4313175aae86488e
SHA1 2ba648afe2cd52edf5f25e304f77d457abf7ac0e
SHA256 8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022
SHA512 159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

memory/2428-12-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2428-16-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2428-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2428-13-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2428-11-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2836-24-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2836-28-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2836-27-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2836-29-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2368-30-0x0000000074010000-0x00000000745BB000-memory.dmp

memory/2836-32-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oTaND3jSdy.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/2428-34-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2660-36-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2660-38-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2660-39-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2428-40-0x0000000000400000-0x0000000000442000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-12 22:01

Reported

2024-12-12 22:04

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Isrstealer family

isrstealer

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1020 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4152 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4152 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1020 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1020 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1020 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1020 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1020 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1020 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1020 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4044 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4044 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4044 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4044 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4044 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4044 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4044 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4044 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4044 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4044 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4044 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4044 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4044 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4044 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4044 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4044 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\intreheq\pingoere.exe.lnk " /f

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\8VQ1qPrUNI.ini"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\IH3QNnOyMF.ini"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.lineamamamababy.com udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/1020-0-0x0000000074BF2000-0x0000000074BF3000-memory.dmp

memory/1020-1-0x0000000074BF0000-0x00000000751A1000-memory.dmp

memory/1020-2-0x0000000074BF0000-0x00000000751A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\intreheq\pingoere.exe

MD5 e87a68565079ec9337b38daf24abb7ed
SHA1 37cc35d9cdf9b1b372c9b6798fc01fa4b320639c
SHA256 0734e46043e3b7a82176386c4c8d5f572fb9673c94d4047a370a25c1035c87ce
SHA512 6f3f6ba6f26f10b942db0d002487f356bdc9045cf312d46a55b7f31343eac9599be43bb8eb2fd35cae9ca3a2fa895384fc88f3d97780fad33d9b866c08c8eb23

memory/4044-11-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 454501a66ad6e85175a6757573d79f8b
SHA1 8ca96c61f26a640a5b1b1152d055260b9d43e308
SHA256 7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8
SHA512 9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

memory/4044-15-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3668-18-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3668-21-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3668-22-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3668-23-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3668-25-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1020-27-0x0000000074BF0000-0x00000000751A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8VQ1qPrUNI.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/4552-29-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4552-32-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4552-33-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4552-34-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4552-35-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4044-36-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4044-37-0x0000000000400000-0x0000000000442000-memory.dmp