Analysis Overview
SHA256
6ad5247f54eaec05a23e025f393291f39a6686ab38f34d5cda8fd868b627d157
Threat Level: Shows suspicious behavior
The file JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db was found to be: Shows suspicious behavior.
Malicious Activity Summary
Unexpected DNS network traffic destination
Executes dropped EXE
Deletes itself
Event Triggered Execution: Component Object Model Hijacking
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-27 20:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-27 20:52
Reported
2025-01-27 20:54
Platform
win7-20240903-en
Max time kernel
65s
Max time network
150s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\system32\services.exe | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 83.133.123.20 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Destination IP | 83.133.123.20 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Destination IP | 83.133.123.20 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Destination IP | 83.133.123.20 | N/A | N/A |
| Destination IP | 83.133.123.20 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Destination IP | 83.133.123.20 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Destination IP | 83.133.123.20 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Destination IP | 83.133.123.20 | N/A | N/A |
| Destination IP | 83.133.123.20 | N/A | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | \systemroot\assembly\GAC_64\Desktop.ini | C:\Windows\system32\services.exe | N/A |
| File created | \systemroot\assembly\GAC_32\Desktop.ini | C:\Windows\system32\services.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1956 set thread context of 1048 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | C:\Windows\SysWOW64\cmd.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\clsid | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-1488793075-819845221-1497111674-1000\\$568593a3dddae9c8c724dfe7808f99db\\n." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$568593a3dddae9c8c724dfe7808f99db\\n." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\services.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\services.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\services.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\services.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\services.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | j.maxmind.com | udp |
| DE | 83.133.123.20:53 | udp | |
| DE | 83.133.123.20:53 | udp | |
| DE | 83.133.123.20:53 | udp | |
| DE | 83.133.123.20:53 | udp | |
| DE | 83.133.123.20:53 | udp | |
| DE | 83.133.123.20:53 | udp | |
| DE | 83.133.123.20:53 | udp | |
| DE | 83.133.123.20:53 | udp | |
| DE | 83.133.123.20:53 | udp | |
| US | 68.43.151.4:16470 | udp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| JP | 61.86.46.6:16470 | udp | |
| GB | 31.220.245.6:16470 | udp | |
| US | 98.202.239.12:16470 | udp | |
| IT | 176.201.3.13:16470 | udp | |
| CA | 74.58.117.244:16470 | udp | |
| JP | 219.45.20.15:16470 | udp | |
| IN | 117.196.94.16:16470 | udp | |
| US | 74.90.163.20:16470 | udp | |
| US | 69.203.193.21:16470 | udp | |
| US | 96.37.211.239:16470 | udp | |
| US | 69.137.29.238:16470 | udp | |
| US | 24.3.50.23:16470 | udp | |
| CA | 24.226.53.23:16470 | udp | |
| US | 74.232.61.25:16470 | udp | |
| US | 75.132.37.30:16470 | udp | |
| US | 174.45.212.34:16470 | udp | |
| US | 99.58.23.38:16470 | udp | |
| BG | 78.90.110.40:16470 | udp | |
| US | 173.18.180.40:16470 | udp | |
| JP | 59.85.103.46:16470 | udp | |
| US | 75.64.169.46:16470 | udp | |
| DE | 91.64.147.227:16470 | udp | |
| US | 68.4.83.225:16470 | udp | |
| US | 68.186.30.224:16470 | udp | |
| US | 174.35.203.51:16470 | udp | |
| US | 71.67.96.59:16470 | udp | |
| CZ | 80.243.101.219:16470 | udp | |
| US | 173.93.251.66:16470 | udp | |
| US | 24.180.147.71:16470 | udp | |
| IT | 151.24.130.215:16470 | udp | |
| US | 129.21.131.77:16470 | udp | |
| US | 72.181.205.77:16470 | udp | |
| US | 108.18.214.213:16470 | udp | |
| SE | 46.162.113.83:16470 | udp | |
| JP | 114.185.113.84:16470 | udp | |
| US | 50.81.60.90:16470 | udp | |
| US | 66.176.236.91:16470 | udp | |
| US | 74.78.212.209:16470 | udp | |
| US | 76.109.133.206:16470 | udp | |
| SE | 83.233.84.92:16470 | udp | |
| RU | 109.161.94.94:16470 | udp | |
| AU | 114.72.167.205:16470 | udp | |
| UA | 176.36.75.205:16470 | udp | |
| US | 68.46.232.95:16470 | udp | |
| FI | 89.166.98.102:16470 | udp | |
| GB | 92.40.94.103:16470 | udp | |
| CA | 96.22.254.105:16470 | udp | |
| US | 76.185.204.110:16470 | udp | |
| US | 50.130.85.197:16470 | udp | |
| FR | 88.121.18.111:16470 | udp | |
| BE | 81.164.196.114:16470 | udp | |
| US | 174.49.99.116:16470 | udp | |
| US | 76.29.122.116:16470 | udp | |
| US | 68.119.169.194:16470 | udp | |
| US | 184.167.104.192:16470 | udp | |
| US | 50.151.38.189:16470 | udp | |
| US | 71.113.236.188:16470 | udp | |
| KR | 1.250.54.187:16470 | udp | |
| US | 137.30.248.185:16470 | udp | |
| CA | 174.3.235.184:16470 | udp | |
| JP | 126.6.63.183:16470 | udp | |
| US | 184.20.60.183:16470 | udp | |
| US | 68.105.52.183:16470 | udp | |
| TW | 1.172.160.117:16470 | udp | |
| UA | 109.86.184.120:16470 | udp | |
| US | 69.140.86.175:16470 | udp | |
| RU | 94.127.222.174:16470 | udp | |
| US | 65.49.182.123:16470 | udp | |
| FR | 176.31.119.124:16470 | udp | |
| US | 24.177.50.171:16470 | udp | |
| ES | 84.125.76.127:16470 | udp | |
| JP | 210.236.118.128:16470 | udp | |
| CA | 24.202.202.162:16470 | udp | |
| US | 75.252.243.161:16470 | udp | |
| US | 68.61.126.161:16470 | udp | |
| SG | 111.91.78.160:16470 | udp | |
| US | 67.162.192.128:16470 | udp | |
| US | 68.12.145.156:16470 | udp | |
| US | 24.206.138.156:16470 | udp | |
| JP | 58.95.7.156:16470 | udp | |
| US | 72.223.109.153:16470 | udp | |
| US | 76.85.156.150:16470 | udp | |
| US | 76.78.69.150:16470 | udp | |
| US | 66.190.99.147:16470 | udp | |
| US | 69.244.15.147:16470 | udp | |
| US | 208.114.32.146:16470 | udp | |
| RU | 193.151.210.128:16470 | udp | |
| RU | 136.169.201.144:16470 | udp | |
| CH | 46.127.97.143:16470 | udp | |
| UA | 213.109.95.130:16470 | udp | |
| IN | 1.23.132.132:16470 | udp | |
| US | 24.191.110.0:16470 | udp | |
| US | 69.253.224.138:16470 | udp | |
| JP | 1.114.248.136:16470 | udp | |
| US | 68.58.169.134:16470 | udp | |
| US | 68.7.163.134:16470 | udp | |
| IR | 85.133.224.133:16470 | udp | |
| US | 174.66.128.140:16470 | udp | |
| NO | 84.215.57.132:16470 | udp | |
| US | 98.214.92.141:16470 | udp | |
| FR | 78.251.170.145:16470 | udp | |
| US | 71.20.116.159:16470 | udp | |
| US | 65.184.94.166:16470 | udp | |
| US | 24.25.57.128:16470 | udp | |
| IN | 14.98.169.127:16470 | udp | |
| US | 174.49.155.127:16470 | udp | |
| JP | 122.16.127.127:16470 | udp | |
| PT | 62.169.119.127:16470 | udp | |
| US | 76.127.148.168:16470 | udp | |
| US | 67.242.140.126:16470 | udp | |
| RU | 78.139.83.126:16470 | udp | |
| US | 174.137.5.125:16470 | udp | |
| US | 75.74.193.124:16470 | udp | |
| US | 68.184.83.172:16470 | udp | |
| FR | 178.32.107.173:16470 | udp | |
| IN | 175.100.143.123:16470 | udp | |
| RU | 109.124.39.123:16470 | udp | |
| US | 75.132.153.179:16470 | udp | |
| SK | 188.167.180.180:16470 | udp | |
| US | 66.74.49.195:16470 | udp | |
| JP | 125.192.58.195:16470 | udp | |
| KR | 39.117.151.196:16470 | udp | |
| US | 128.3.22.197:16470 | udp | |
| GB | 86.21.73.200:16470 | udp | |
| US | 76.114.235.201:16470 | udp | |
| US | 69.127.121.202:16470 | udp | |
| CL | 186.78.213.204:16470 | udp | |
| RU | 178.207.35.98:16470 | udp | |
| US | 76.98.232.97:16470 | udp | |
| US | 98.247.51.205:16470 | udp | |
| DE | 178.202.215.94:16470 | udp | |
| US | 69.8.165.94:16470 | udp | |
| SE | 130.236.219.205:16470 | udp | |
| US | 69.253.140.93:16470 | udp | |
| SE | 83.252.181.92:16470 | udp | |
| JP | 180.58.11.206:16470 | udp | |
| JM | 67.230.44.92:16470 | udp | |
| US | 68.11.209.210:16470 | udp | |
| US | 71.90.110.90:16470 | udp | |
| JP | 210.20.153.212:16470 | udp | |
| FI | 88.148.251.89:16470 | udp | |
| US | 98.213.22.89:16470 | udp | |
| US | 70.15.205.85:16470 | udp | |
| SE | 80.245.233.212:16470 | udp | |
| US | 68.104.53.84:16470 | udp | |
| SG | 222.164.235.83:16470 | udp | |
| US | 68.174.153.213:16470 | udp | |
| US | 24.52.87.83:16470 | udp |
Files
memory/1956-0-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1956-1-0x000000000042D000-0x0000000000434000-memory.dmp
memory/1956-2-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1956-3-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1244-4-0x0000000002A70000-0x0000000002A71000-memory.dmp
memory/1244-8-0x0000000002A70000-0x0000000002A71000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\$568593a3dddae9c8c724dfe7808f99db\n
| MD5 | fb4e3236959152a057bc6b7603c538ef |
| SHA1 | b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4 |
| SHA256 | 8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0 |
| SHA512 | 993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2 |
memory/472-13-0x0000000000090000-0x0000000000091000-memory.dmp
C:\$Recycle.Bin\S-1-5-18\$568593a3dddae9c8c724dfe7808f99db\@
| MD5 | 4e528876b4f4f13af564b3f6b697928f |
| SHA1 | 8535c7ce522477aebd468fc7505400dca0a11bd2 |
| SHA256 | 41bdcc22308342206d405095566041bf7da8647f290340d3bb8663f1fa8c0731 |
| SHA512 | 85742858b309a0fb665d6dca40ed038626b69e6352b3bccc8362ce823ec74ce9f700588091a32448afc168ba515c26304abc950d1f8244f088ab133fc2e27b6a |
memory/1956-20-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1956-19-0x000000000042D000-0x0000000000434000-memory.dmp
memory/1244-21-0x0000000002A70000-0x0000000002A71000-memory.dmp
memory/472-22-0x0000000000090000-0x0000000000091000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-27 20:52
Reported
2025-01-27 20:54
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
145s
Command Line
Signatures
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 83.133.123.20 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Destination IP | 83.133.123.20 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Destination IP | 83.133.123.20 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Destination IP | 83.133.123.20 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Destination IP | 83.133.123.20 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3756129449-3121373848-4276368241-1000\\$862b21c0dc2d33ab5918d90b8ea31d19\\n." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\clsid | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 528 wrote to memory of 3500 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | C:\Windows\Explorer.EXE |
| PID 528 wrote to memory of 3500 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe | C:\Windows\Explorer.EXE |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43939ed80ef8f6cc9d7f5dc15fcd48db.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | j.maxmind.com | udp |
| N/A | 127.0.0.1:80 | tcp | |
| DE | 83.133.123.20:53 | udp | |
| N/A | 127.0.0.1:80 | tcp | |
| DE | 83.133.123.20:53 | udp | |
| N/A | 127.0.0.1:80 | tcp | |
| DE | 83.133.123.20:53 | udp | |
| N/A | 127.0.0.1:80 | tcp | |
| DE | 83.133.123.20:53 | udp | |
| N/A | 127.0.0.1:80 | tcp | |
| DE | 83.133.123.20:53 | udp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.123.133.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/528-2-0x0000000000400000-0x0000000000436000-memory.dmp
memory/528-1-0x000000000042D000-0x0000000000434000-memory.dmp
memory/528-0-0x00000000004C0000-0x00000000004C1000-memory.dmp
memory/528-3-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3500-4-0x0000000002B90000-0x0000000002B91000-memory.dmp
memory/3500-8-0x0000000002B90000-0x0000000002B91000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\$862b21c0dc2d33ab5918d90b8ea31d19\n
| MD5 | fb4e3236959152a057bc6b7603c538ef |
| SHA1 | b25a70c07dd2eb1c9fdf89f7a2ffc286f226edf4 |
| SHA256 | 8244ddfcba327a3f67a5582642c53241ee5e58d75808547cd74808bcded272d0 |
| SHA512 | 993dbfbf71394ad1f120a8687d57eac2b9a55b11b1594aadd5a8d90edc0a26e5fd21f78317d342837ce27728613b5fc9c6ea40f86d17e5c477071be84f8aa3d2 |
memory/528-10-0x0000000000400000-0x0000000000436000-memory.dmp
memory/528-11-0x000000000042D000-0x0000000000434000-memory.dmp