Malware Analysis Report

2025-04-03 10:25

Sample ID 250316-j9n26azjx7
Target JaffaCakes118_7988827f545203ac2ea13c652d5674a8
SHA256 3a4f8430dd794e93e9f2ac368c9b6f61c93609e0e52afe292a1aa95abae99453
Tags
latentbot defense_evasion discovery persistence privilege_escalation trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a4f8430dd794e93e9f2ac368c9b6f61c93609e0e52afe292a1aa95abae99453

Threat Level: Known bad

The file JaffaCakes118_7988827f545203ac2ea13c652d5674a8 was found to be: Known bad.

Malicious Activity Summary

latentbot defense_evasion discovery persistence privilege_escalation trojan upx

LatentBot

Latentbot family

Modifies Windows Firewall

Loads dropped DLL

Executes dropped EXE

Drops startup file

Checks computer location settings

Enumerates connected drives

Adds Run key to start application

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-16 08:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-16 08:22

Reported

2025-03-16 08:24

Platform

win10v2004-20250314-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe"

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\717b83676f0ab8c5935f4e7857307217.exe C:\Users\Admin\AppData\Local\Temp\gorft.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\717b83676f0ab8c5935f4e7857307217.exe C:\Users\Admin\AppData\Local\Temp\gorft.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\717b83676f0ab8c5935f4e7857307217 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\gorft.exe\" .." C:\Users\Admin\AppData\Local\Temp\gorft.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\717b83676f0ab8c5935f4e7857307217 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\gorft.exe\" .." C:\Users\Admin\AppData\Local\Temp\gorft.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gorft.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\gorft.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe
PID 2116 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe
PID 2116 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe
PID 2116 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe
PID 2116 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe
PID 2116 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe
PID 2660 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe C:\Users\Admin\AppData\Local\Temp\gorft.exe
PID 2660 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe C:\Users\Admin\AppData\Local\Temp\gorft.exe
PID 2660 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe C:\Users\Admin\AppData\Local\Temp\gorft.exe
PID 4764 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\gorft.exe C:\Windows\SysWOW64\netsh.exe
PID 4764 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\gorft.exe C:\Windows\SysWOW64\netsh.exe
PID 4764 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\gorft.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe"

C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe

"C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe"

C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe

"C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe"

C:\Users\Admin\AppData\Local\Temp\gorft.exe

"C:\Users\Admin\AppData\Local\Temp\gorft.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\gorft.exe" "gorft.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.35:80 c.pki.goog tcp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp
US 8.8.8.8:53 hakerbolbol.zapto.org udp

Files

memory/2116-0-0x00007FFB7D5B0000-0x00007FFB7D7A5000-memory.dmp

memory/2116-1-0x00007FFB7D5B0000-0x00007FFB7D7A5000-memory.dmp

memory/2116-2-0x00007FFB7D5B0000-0x00007FFB7D7A5000-memory.dmp

memory/2116-3-0x000000001C230000-0x000000001C6FE000-memory.dmp

memory/2116-4-0x000000001C7A0000-0x000000001C83C000-memory.dmp

memory/2116-5-0x000000001BCC0000-0x000000001BCC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe

MD5 96681f9a5f34f4c09405674b1e22a35e
SHA1 700ce6e277c8dfd78ac98319fecf986691297dd6
SHA256 7c5f8d2446616124bfee0b2f217194acdb3088ab0b6d31cc01a1c84fa988ec1c
SHA512 c73b4a0300dce59d22ab89d3f4e7d6b87a120ca3f3480831f309d4f01675a425b705ec362037f5aefa6dc76e6aae5060354843e2952ad5cac6877e7d803a4563

C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe

MD5 276d5b7ca6303c28492807f4d1d92309
SHA1 68f2bf37c6952a5a5e2ee06c721a40ecac244439
SHA256 a8b210be8d7774a898df8306a4f2110d99218198fb842fdcd180c624c765f8aa
SHA512 e0388aa6700e9d1cceef3d755083f3234b2c5e542fc0a64df528d3e5e3bdebf6d45aa215bc49640677748bf04b72083096292161b6fe87b7db040d2e56292423

memory/2456-24-0x0000000000400000-0x00000000005C5000-memory.dmp

memory/2116-26-0x00007FFB7D5B0000-0x00007FFB7D7A5000-memory.dmp

memory/2660-27-0x00007FFB7D5B0000-0x00007FFB7D7A5000-memory.dmp

memory/2456-28-0x00007FFB7D5B0000-0x00007FFB7D7A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e653d73e45833b6c

MD5 80f583ab01e80aae24a8b5833a298602
SHA1 611396b2d1632d8d0d2828bb86fefbaf173989e0
SHA256 2691bbe79c030727918fbaf7f1f43b4eeaa8ab3852dad598758773f27af84504
SHA512 24e7b892745feb27602059062451894fc43dd3cf538bd95966f2e0b458d13e920177c40209099c494447903dba73a2efa4454b4cd26a2e79d7d840e87a015397

memory/2456-41-0x0000000000400000-0x00000000005C5000-memory.dmp

memory/2456-42-0x00007FFB7D5B0000-0x00007FFB7D7A5000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-16 08:22

Reported

2025-03-16 08:24

Platform

win7-20241010-en

Max time kernel

147s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe"

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\717b83676f0ab8c5935f4e7857307217.exe C:\Users\Admin\AppData\Local\Temp\gorft.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\717b83676f0ab8c5935f4e7857307217.exe C:\Users\Admin\AppData\Local\Temp\gorft.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\717b83676f0ab8c5935f4e7857307217 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\gorft.exe\" .." C:\Users\Admin\AppData\Local\Temp\gorft.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\717b83676f0ab8c5935f4e7857307217 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\gorft.exe\" .." C:\Users\Admin\AppData\Local\Temp\gorft.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gorft.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gorft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gorft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gorft.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\gorft.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe
PID 2856 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe
PID 2856 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe
PID 2856 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe
PID 2856 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe
PID 2856 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe
PID 2856 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe
PID 2856 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe
PID 2944 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe C:\Users\Admin\AppData\Local\Temp\gorft.exe
PID 2944 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe C:\Users\Admin\AppData\Local\Temp\gorft.exe
PID 2944 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe C:\Users\Admin\AppData\Local\Temp\gorft.exe
PID 2944 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe C:\Users\Admin\AppData\Local\Temp\gorft.exe
PID 2604 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\gorft.exe C:\Windows\SysWOW64\netsh.exe
PID 2604 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\gorft.exe C:\Windows\SysWOW64\netsh.exe
PID 2604 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\gorft.exe C:\Windows\SysWOW64\netsh.exe
PID 2604 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\gorft.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe"

C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe

"C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe"

C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe

"C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe"

C:\Users\Admin\AppData\Local\Temp\gorft.exe

"C:\Users\Admin\AppData\Local\Temp\gorft.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\gorft.exe" "gorft.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 hakerbolbol.zapto.org udp

Files

memory/2856-0-0x000007FEF5B2E000-0x000007FEF5B2F000-memory.dmp

memory/2856-1-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

memory/2856-3-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe

MD5 96681f9a5f34f4c09405674b1e22a35e
SHA1 700ce6e277c8dfd78ac98319fecf986691297dd6
SHA256 7c5f8d2446616124bfee0b2f217194acdb3088ab0b6d31cc01a1c84fa988ec1c
SHA512 c73b4a0300dce59d22ab89d3f4e7d6b87a120ca3f3480831f309d4f01675a425b705ec362037f5aefa6dc76e6aae5060354843e2952ad5cac6877e7d803a4563

memory/2856-14-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

memory/2388-15-0x0000000000400000-0x00000000005C5000-memory.dmp

memory/2388-16-0x00000000002B0000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe

MD5 276d5b7ca6303c28492807f4d1d92309
SHA1 68f2bf37c6952a5a5e2ee06c721a40ecac244439
SHA256 a8b210be8d7774a898df8306a4f2110d99218198fb842fdcd180c624c765f8aa
SHA512 e0388aa6700e9d1cceef3d755083f3234b2c5e542fc0a64df528d3e5e3bdebf6d45aa215bc49640677748bf04b72083096292161b6fe87b7db040d2e56292423

memory/2944-17-0x0000000000360000-0x00000000003A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e653d73e45833b6c

MD5 f6bf7388adffaca991fc24ca2148bce3
SHA1 950c1d389e746d51b7acffa662d3f713a293979e
SHA256 2b63e36f1098c8eb8f5c5f4d67b792586bdda9499dee8c987f9784a582cd28bd
SHA512 0e31d51c050c5acec3a908e58c58180e632ae059ae3a5f8d20e6e2abaf54c1427af338e81f662239bce52a6acef071e906f83e3025f6236ff5db9056107c5aa1

memory/2388-28-0x0000000000400000-0x00000000005C5000-memory.dmp

memory/2388-29-0x00000000002B0000-0x00000000002B1000-memory.dmp