gandcrab | 29708b8f7245cfe7e47d363ab1cd0006027e334870791461d126e37751c054a0

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
09/01/2025, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
Size

291KB
MD5

cadb52385ded087de7fae5b2413c37cb
SHA1

82af0fbb6ebe148ee6f771dbbe7adb2dddd0287a
SHA256

29708b8f7245cfe7e47d363ab1cd0006027e334870791461d126e37751c054a0
SHA512

8eb67074cf22243c52484eb6cd978ed50420e702c5862cf3649d001dab064ac4ccc685ac0e53da3e5cb77143d46286791664731c493c4bb9934dff5cad90c3e2
SSDEEP

3072:PHA3izhGQXZDoO6BHi/Fy+XvQBAg0Fujhf1wxcSbL7vf92/WNvbPALS1HKdYHMwB:nvoO0i4AOVwFdrNvbP8/YHMmoVd1xqsS

Score

10^/10

gandcrab backdoor discovery persistence ransomware

Malware Config

Signatures

GandCrab payload 4 IoCs

resource	yara_rule
behavioral1/memory/2556-3-0x0000000000280000-0x0000000000297000-memory.dmp	family_gandcrab
behavioral1/memory/2556-5-0x0000000000400000-0x0000000000946000-memory.dmp	family_gandcrab
behavioral1/memory/2556-6-0x0000000000400000-0x0000000000946000-memory.dmp	family_gandcrab
behavioral1/memory/2556-13-0x0000000000400000-0x000000000042C000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Gandcrab family
gandcrab

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vojndvqiait = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\wzsnyn.exe\""	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\G:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\H:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\I:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\P:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\S:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\L:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\B:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\K:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\N:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\Q:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\R:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\T:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\U:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\Y:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\Z:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\A:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\J:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\M:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\O:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\V:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\W:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
File opened (read-only)	\??\X:	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 468	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	30
PID 2556 wrote to memory of 468	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	30
PID 2556 wrote to memory of 468	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	30
PID 2556 wrote to memory of 468	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	30
PID 2556 wrote to memory of 2476	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	33
PID 2556 wrote to memory of 2476	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	33
PID 2556 wrote to memory of 2476	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	33
PID 2556 wrote to memory of 2476	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	33
PID 2556 wrote to memory of 2880	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	35
PID 2556 wrote to memory of 2880	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	35
PID 2556 wrote to memory of 2880	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	35
PID 2556 wrote to memory of 2880	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	35
PID 2556 wrote to memory of 2996	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	37
PID 2556 wrote to memory of 2996	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	37
PID 2556 wrote to memory of 2996	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	37
PID 2556 wrote to memory of 2996	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	37
PID 2556 wrote to memory of 2500	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	39
PID 2556 wrote to memory of 2500	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	39
PID 2556 wrote to memory of 2500	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	39
PID 2556 wrote to memory of 2500	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	39
PID 2556 wrote to memory of 2676	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	41
PID 2556 wrote to memory of 2676	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	41
PID 2556 wrote to memory of 2676	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	41
PID 2556 wrote to memory of 2676	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	41
PID 2556 wrote to memory of 2884	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	43
PID 2556 wrote to memory of 2884	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	43
PID 2556 wrote to memory of 2884	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	43
PID 2556 wrote to memory of 2884	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	43
PID 2556 wrote to memory of 2648	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	45
PID 2556 wrote to memory of 2648	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	45
PID 2556 wrote to memory of 2648	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	45
PID 2556 wrote to memory of 2648	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	45
PID 2556 wrote to memory of 2712	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	47
PID 2556 wrote to memory of 2712	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	47
PID 2556 wrote to memory of 2712	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	47
PID 2556 wrote to memory of 2712	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	47
PID 2556 wrote to memory of 2060	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	49
PID 2556 wrote to memory of 2060	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	49
PID 2556 wrote to memory of 2060	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	49
PID 2556 wrote to memory of 2060	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	49
PID 2556 wrote to memory of 2280	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	51
PID 2556 wrote to memory of 2280	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	51
PID 2556 wrote to memory of 2280	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	51
PID 2556 wrote to memory of 2280	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	51
PID 2556 wrote to memory of 1860	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	53
PID 2556 wrote to memory of 1860	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	53
PID 2556 wrote to memory of 1860	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	53
PID 2556 wrote to memory of 1860	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	53
PID 2556 wrote to memory of 1928	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	55
PID 2556 wrote to memory of 1928	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	55
PID 2556 wrote to memory of 1928	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	55
PID 2556 wrote to memory of 1928	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	55
PID 2556 wrote to memory of 1824	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	57
PID 2556 wrote to memory of 1824	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	57
PID 2556 wrote to memory of 1824	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	57
PID 2556 wrote to memory of 1824	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	57
PID 2556 wrote to memory of 1716	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	59
PID 2556 wrote to memory of 1716	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	59
PID 2556 wrote to memory of 1716	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	59
PID 2556 wrote to memory of 1716	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	59
PID 2556 wrote to memory of 380	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	61
PID 2556 wrote to memory of 380	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	61
PID 2556 wrote to memory of 380	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	61
PID 2556 wrote to memory of 380	2556	JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe	61

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cadb52385ded087de7fae5b2413c37cb.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:468
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2476
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2996
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2500
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2676
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2648
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2712
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2060
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2280
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1860
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:1824
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1716
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:380
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1972
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:1948
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:2748
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1872
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1496
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:2144
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:1360
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1800
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1412
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:896
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1364
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1640
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2216
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1720
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:1804
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3020
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:696
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2352
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2264
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:988
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:788
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2220
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1616
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2380
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2620
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2520
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2796
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2656
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2812
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2920
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:1192
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2700
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1924
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1644
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1908
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2036
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:1752
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:1144
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1796
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2940
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1848
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:2540
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2972
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1096
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1568
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1648
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1344
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:1780
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1984
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:2632
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:948
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2068
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:1388
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2440
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1232
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2108
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2612
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1712
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2100
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2732
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2512
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2792
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2248
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2104
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2208
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2976
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2492
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2556-0-0x00000000001B0000-0x00000000001CB000-memory.dmp

Filesize
108KB

Download
memory/2556-1-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2556-3-0x0000000000280000-0x0000000000297000-memory.dmp

Filesize
92KB

Download
memory/2556-5-0x0000000000400000-0x0000000000946000-memory.dmp

Filesize
5.3MB

Download
memory/2556-6-0x0000000000400000-0x0000000000946000-memory.dmp

Filesize
5.3MB

Download
memory/2556-12-0x00000000001B0000-0x00000000001CB000-memory.dmp

Filesize
108KB

Download
memory/2556-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download