gandcrab | 299f191aa3decd3256c9c3522dd444321db8b45a49109ecd3ad14c57d6eccdb2

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-01-2025 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
Size

233KB
MD5

b6dbd2d0fbd8d9710a40e0f42753e68b
SHA1

b073d500c013ce2cbed08bddcfa04eba0c4af22c
SHA256

299f191aa3decd3256c9c3522dd444321db8b45a49109ecd3ad14c57d6eccdb2
SHA512

33843e88ac3eb944192801a5555ef1abdc302d33419f9037bf8c23002fa1f72f0f10d3aa43ca45ea3d5cb39419e63611b361cc020ff714f3c33faff1f85d47f9
SSDEEP

3072:ggJYL+iU82IteL5hYcAhaW3q0Dj7VVkYvB5nxMwxWhoUqVRMlcK:ggJYLk6t5u0vZVkYzNWh2wp

Score

10^/10

gandcrab backdoor discovery persistence ransomware

Malware Config

Signatures

GandCrab payload 4 IoCs

resource	yara_rule
behavioral1/memory/2364-260-0x0000000000270000-0x0000000000287000-memory.dmp	family_gandcrab
behavioral1/memory/2364-259-0x0000000000400000-0x0000000000B4A000-memory.dmp	family_gandcrab
behavioral1/memory/2364-262-0x0000000000400000-0x0000000000B4A000-memory.dmp	family_gandcrab
behavioral1/memory/2364-269-0x0000000000400000-0x000000000042C000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Gandcrab family
gandcrab

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dguclszlvrg = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\zdfxrx.exe\""	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\K:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\L:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\M:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\N:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\O:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\H:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\I:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\S:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\R:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\X:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\B:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\P:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\T:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\U:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\V:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\Y:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\Z:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\A:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\G:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\W:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\E:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
File opened (read-only)	\??\Q:	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2424	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	30
PID 2364 wrote to memory of 2424	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	30
PID 2364 wrote to memory of 2424	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	30
PID 2364 wrote to memory of 2424	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	30
PID 2364 wrote to memory of 1784	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	32
PID 2364 wrote to memory of 1784	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	32
PID 2364 wrote to memory of 1784	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	32
PID 2364 wrote to memory of 1784	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	32
PID 2364 wrote to memory of 1780	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	34
PID 2364 wrote to memory of 1780	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	34
PID 2364 wrote to memory of 1780	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	34
PID 2364 wrote to memory of 1780	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	34
PID 2364 wrote to memory of 2276	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	36
PID 2364 wrote to memory of 2276	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	36
PID 2364 wrote to memory of 2276	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	36
PID 2364 wrote to memory of 2276	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	36
PID 2364 wrote to memory of 2932	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	38
PID 2364 wrote to memory of 2932	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	38
PID 2364 wrote to memory of 2932	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	38
PID 2364 wrote to memory of 2932	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	38
PID 2364 wrote to memory of 1496	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	40
PID 2364 wrote to memory of 1496	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	40
PID 2364 wrote to memory of 1496	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	40
PID 2364 wrote to memory of 1496	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	40
PID 2364 wrote to memory of 2036	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	42
PID 2364 wrote to memory of 2036	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	42
PID 2364 wrote to memory of 2036	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	42
PID 2364 wrote to memory of 2036	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	42
PID 2364 wrote to memory of 1644	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	44
PID 2364 wrote to memory of 1644	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	44
PID 2364 wrote to memory of 1644	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	44
PID 2364 wrote to memory of 1644	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	44
PID 2364 wrote to memory of 300	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	46
PID 2364 wrote to memory of 300	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	46
PID 2364 wrote to memory of 300	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	46
PID 2364 wrote to memory of 300	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	46
PID 2364 wrote to memory of 2404	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	49
PID 2364 wrote to memory of 2404	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	49
PID 2364 wrote to memory of 2404	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	49
PID 2364 wrote to memory of 2404	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	49
PID 2364 wrote to memory of 1736	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	51
PID 2364 wrote to memory of 1736	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	51
PID 2364 wrote to memory of 1736	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	51
PID 2364 wrote to memory of 1736	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	51
PID 2364 wrote to memory of 2108	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	53
PID 2364 wrote to memory of 2108	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	53
PID 2364 wrote to memory of 2108	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	53
PID 2364 wrote to memory of 2108	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	53
PID 2364 wrote to memory of 1832	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	55
PID 2364 wrote to memory of 1832	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	55
PID 2364 wrote to memory of 1832	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	55
PID 2364 wrote to memory of 1832	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	55
PID 2364 wrote to memory of 2100	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	57
PID 2364 wrote to memory of 2100	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	57
PID 2364 wrote to memory of 2100	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	57
PID 2364 wrote to memory of 2100	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	57
PID 2364 wrote to memory of 2880	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	59
PID 2364 wrote to memory of 2880	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	59
PID 2364 wrote to memory of 2880	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	59
PID 2364 wrote to memory of 2880	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	59
PID 2364 wrote to memory of 2856	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	61
PID 2364 wrote to memory of 2856	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	61
PID 2364 wrote to memory of 2856	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	61
PID 2364 wrote to memory of 2856	2364	JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe	61

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b6dbd2d0fbd8d9710a40e0f42753e68b.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2424
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1784
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1780
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2276
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2932
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:1496
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2036
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1644
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:300
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2404
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:1736
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2108
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:1832
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2100
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:2880
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2888
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1288
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2908
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2644
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2296
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2032
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:560
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2808
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:1580
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2920
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:1040
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2584
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1836
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2252
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2292
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2060
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:808
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:576
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2376
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:876
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1240
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1916
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:1228
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3044
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1868
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:1764
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:768
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:1680
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2004
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:604
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2408
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2124
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2092
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2912
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2904
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2988
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2640
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:2612
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2664
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2648
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:648
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1744
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2700
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2832
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2940
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1740
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:268
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2000
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1704
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:536
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1632
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2312
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1676
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1588
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1904
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1524
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:324
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1540
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:924
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2136
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2260
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2508
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2476
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2392
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1032
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini

Filesize
7KB

MD5
41bf414bf23c0ce4159d401f400ff6c9

SHA1
3863fddeb726a22147517ed9dc293e591a5dba46

SHA256
9212c6a58ecaff40cdbbf46465f5fbbf1ca63cab50f4476acfc20d7836d00a23

SHA512
55a60d66bd3b609f86e29ce90cc2aa58d60bf1f69539cd1fcf09593ba50daa482c0160636b22aa13af006348f7d8ed2de23277316fa6933b0a0bc987a5da349b

Download Submit
memory/2364-257-0x0000000000C50000-0x0000000000D50000-memory.dmp

Filesize
1024KB

Download
memory/2364-258-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2364-260-0x0000000000270000-0x0000000000287000-memory.dmp

Filesize
92KB

Download
memory/2364-259-0x0000000000400000-0x0000000000B4A000-memory.dmp

Filesize
7.3MB

Download
memory/2364-262-0x0000000000400000-0x0000000000B4A000-memory.dmp

Filesize
7.3MB

Download
memory/2364-268-0x0000000000C50000-0x0000000000D50000-memory.dmp

Filesize
1024KB

Download
memory/2364-269-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download