Malware Analysis Report

2025-05-06 00:17

Sample ID 250421-nlpe8ssves
Target JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f
SHA256 0ffba74d621982cd05fcfe74276a5bbbd10590e06bb74144fabdfa585976b1a2
Tags
latentbot discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ffba74d621982cd05fcfe74276a5bbbd10590e06bb74144fabdfa585976b1a2

Threat Level: Known bad

The file JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f was found to be: Known bad.

Malicious Activity Summary

latentbot discovery persistence trojan

Latentbot family

LatentBot

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-21 11:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-21 11:29

Reported

2025-04-21 11:31

Platform

win10v2004-20250410-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe"

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\standard.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\standard.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dsds.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\rundll.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntldr.dll = "\"C:\\Users\\Admin\\AppData\\Roaming\\ntldr.dll \"" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntldr.dll = "\"C:\\Users\\Admin\\AppData\\Roaming\\ntldr.dll \"" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntldr.dll = "\"C:\\Users\\Admin\\AppData\\Roaming\\ntldr.dll \"" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\standard.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\rundll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\dsds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\standard.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\standard.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\dsds.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\rundll.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dsds.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dsds.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1508 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe C:\Users\Admin\AppData\Local\Temp\standard.exe
PID 1508 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe C:\Users\Admin\AppData\Local\Temp\standard.exe
PID 1508 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe C:\Users\Admin\AppData\Local\Temp\standard.exe
PID 1176 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Users\Admin\AppData\Roaming\dsds.exe
PID 1176 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Users\Admin\AppData\Roaming\dsds.exe
PID 1176 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Users\Admin\AppData\Roaming\dsds.exe
PID 1176 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Users\Admin\AppData\Roaming\rundll.exe
PID 1176 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Users\Admin\AppData\Roaming\rundll.exe
PID 1176 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Users\Admin\AppData\Roaming\rundll.exe
PID 3372 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4764 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 624 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4764 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4764 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4792 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4792 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4792 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 908 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 8 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 8 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe"

C:\Users\Admin\AppData\Local\Temp\standard.exe

"C:\Users\Admin\AppData\Local\Temp\standard.exe"

C:\Users\Admin\AppData\Roaming\dsds.exe

"C:\Users\Admin\AppData\Roaming\dsds.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c syscheck.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c syscheck.bat

C:\Users\Admin\AppData\Roaming\rundll.exe

"C:\Users\Admin\AppData\Roaming\rundll.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ntldr.dll "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ntldr.dll "

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ntldr.dll "

Network

Country Destination Domain Proto
US 8.8.8.8:53 yeniceriler.zapto.org udp
US 8.8.8.8:53 chat.chaoskoxp.org udp
US 8.8.8.8:53 yeniceriler.zapto.org udp
US 8.8.8.8:53 yeniceriler.zapto.org udp
US 8.8.8.8:53 yeniceriler.zapto.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 yeniceriler.zapto.org udp
US 8.8.8.8:53 yeniceriler.zapto.org udp
US 8.8.8.8:53 c.pki.goog udp
DE 172.217.16.67:80 c.pki.goog tcp
US 8.8.8.8:53 yeniceriler.zapto.org udp
US 8.8.8.8:53 yeniceriler.zapto.org udp
US 8.8.8.8:53 yeniceriler.zapto.org udp
US 8.8.8.8:53 yeniceriler.zapto.org udp
US 8.8.8.8:53 yeniceriler.zapto.org udp
US 8.8.8.8:53 yeniceriler.zapto.org udp
US 8.8.8.8:53 yeniceriler.zapto.org udp
US 8.8.8.8:53 yeniceriler.zapto.org udp
US 8.8.8.8:53 yeniceriler.zapto.org udp

Files

memory/1508-0-0x0000000000510000-0x0000000000511000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\standard.exe

MD5 8273deb5a080d6d61c83ea61bc0432bd
SHA1 4206efd74c48c13aee33f07f720a2b6bd91dce99
SHA256 0728c0ba138b10eecf4a7171eeee912ec4b5b74ffbcbc60bfb5bfbd9179b83e2
SHA512 bd10373c35ed1a4998c01c7a51277b857a71fe9b17617e04831cf77d3a48f39e74efca9ab3b79fe4b1104f2a4b58ed823c87581c93f7818a67124c8ccf881453

memory/1508-9-0x0000000004000000-0x00000000041DB000-memory.dmp

memory/1176-10-0x0000000000400000-0x0000000000569000-memory.dmp

C:\Users\Admin\AppData\Roaming\dsds.exe

MD5 093a2b6f57aceba469f3c4197a446a75
SHA1 308103393607bd57e87327b32c1d4b990410290a
SHA256 ddee4cf79091b1ae7b8f27ce3f73a2d27d675f882642cb2e66ce8c291f6a0296
SHA512 1dd430d13c1a1bc54a47f9a6dfa31854a594c593000464e326048febd14fe6c8ce53569970c92bc19fab392a2864827966e8b07c2d702f01f319578964a85fb6

C:\Users\Admin\AppData\Local\Temp\syscheck.bat

MD5 39f2d111253e3714e37ff12202e0bf12
SHA1 6172623d832a71b82a9c34063237f247e5bc1364
SHA256 9145bfaeb4e64deb3cea8448f1f7025589456b892530d052f499bfc33325dedd
SHA512 949e275fbaa7c7bc53b3de7b1ac8580ac449ae6203d0e7aba7f9a43cb75c4cf067bbfd0cc5d32a7f7f55843e90b155ba7b6bbc42e318a260667b8c62022cca08

C:\Users\Admin\AppData\Roaming\rundll.exe

MD5 fc2a1b816f6eafdad8e16ddffb2d0e6d
SHA1 ebc44b31b897ca7d6b533c15431a7920831437a1
SHA256 ec9df8fb7a59dd03918a819316406a4091f0b5db7f88afee13aa4227d61eb7cd
SHA512 c1f94ec71cc7805f7c3ca199edeed1a5e8254d6d0873c0e6db33ac1bf72c22db8c51a0f9b9a7502092944fa139a6beea7b377de2fd57df780999c25a1e8544b3

memory/1176-45-0x0000000000400000-0x0000000000569000-memory.dmp

memory/4408-42-0x00000000006B0000-0x00000000006E2000-memory.dmp

C:\Users\Admin\AppData\Roaming\ntldr.dll

MD5 c9b76bea3062300dd2957be713c77ba1
SHA1 8c30562d91ecb2f4ada92ec927c0bbe4ab869ed1
SHA256 2c017cc4fb05277095eb9be218c58e6041d985510f36678ec32bb4f74d7c493e
SHA512 0cb98c144720164c525d7b23de0b23e5eb27e5461f2823932a4420983a99a81ab7860e4b200bbd40a1d3e74ed2264418957cbb511a5bc0c1d5202a84dda4b089

memory/2348-48-0x0000000004710000-0x0000000004742000-memory.dmp

memory/2348-59-0x0000000004710000-0x0000000004742000-memory.dmp

memory/4408-61-0x00000000006B0000-0x00000000006E2000-memory.dmp

memory/4408-60-0x0000000000400000-0x000000000046F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-21 11:29

Reported

2025-04-21 11:31

Platform

win11-20250410-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe"

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\standard.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dsds.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\rundll.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntldr.dll = "\"C:\\Users\\Admin\\AppData\\Roaming\\ntldr.dll \"" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntldr.dll = "\"C:\\Users\\Admin\\AppData\\Roaming\\ntldr.dll \"" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\rundll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\standard.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\dsds.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\standard.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\standard.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\dsds.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dsds.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dsds.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\rundll.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe C:\Users\Admin\AppData\Local\Temp\standard.exe
PID 2728 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe C:\Users\Admin\AppData\Local\Temp\standard.exe
PID 2728 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe C:\Users\Admin\AppData\Local\Temp\standard.exe
PID 3368 wrote to memory of 5300 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Users\Admin\AppData\Roaming\dsds.exe
PID 3368 wrote to memory of 5300 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Users\Admin\AppData\Roaming\dsds.exe
PID 3368 wrote to memory of 5300 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Users\Admin\AppData\Roaming\dsds.exe
PID 3368 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Users\Admin\AppData\Roaming\rundll.exe
PID 3368 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Users\Admin\AppData\Roaming\rundll.exe
PID 3368 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\standard.exe C:\Users\Admin\AppData\Roaming\rundll.exe
PID 3552 wrote to memory of 5628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 5628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 5628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5628 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5628 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5628 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1252 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4896 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4896 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe"

C:\Users\Admin\AppData\Local\Temp\standard.exe

"C:\Users\Admin\AppData\Local\Temp\standard.exe"

C:\Users\Admin\AppData\Roaming\dsds.exe

"C:\Users\Admin\AppData\Roaming\dsds.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c syscheck.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c syscheck.bat

C:\Users\Admin\AppData\Roaming\rundll.exe

"C:\Users\Admin\AppData\Roaming\rundll.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ntldr.dll "

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ntldr.dll "

Network

Country Destination Domain Proto
US 8.8.8.8:53 yeniceriler.zapto.org udp
US 8.8.8.8:53 yeniceriler.zapto.org udp

Files

memory/2728-0-0x0000000002290000-0x0000000002291000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\standard.exe

MD5 8273deb5a080d6d61c83ea61bc0432bd
SHA1 4206efd74c48c13aee33f07f720a2b6bd91dce99
SHA256 0728c0ba138b10eecf4a7171eeee912ec4b5b74ffbcbc60bfb5bfbd9179b83e2
SHA512 bd10373c35ed1a4998c01c7a51277b857a71fe9b17617e04831cf77d3a48f39e74efca9ab3b79fe4b1104f2a4b58ed823c87581c93f7818a67124c8ccf881453

memory/2728-9-0x0000000004000000-0x00000000041DB000-memory.dmp

memory/3368-11-0x00000000021B0000-0x00000000021B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\dsds.exe

MD5 093a2b6f57aceba469f3c4197a446a75
SHA1 308103393607bd57e87327b32c1d4b990410290a
SHA256 ddee4cf79091b1ae7b8f27ce3f73a2d27d675f882642cb2e66ce8c291f6a0296
SHA512 1dd430d13c1a1bc54a47f9a6dfa31854a594c593000464e326048febd14fe6c8ce53569970c92bc19fab392a2864827966e8b07c2d702f01f319578964a85fb6

C:\Users\Admin\AppData\Local\Temp\syscheck.bat

MD5 39f2d111253e3714e37ff12202e0bf12
SHA1 6172623d832a71b82a9c34063237f247e5bc1364
SHA256 9145bfaeb4e64deb3cea8448f1f7025589456b892530d052f499bfc33325dedd
SHA512 949e275fbaa7c7bc53b3de7b1ac8580ac449ae6203d0e7aba7f9a43cb75c4cf067bbfd0cc5d32a7f7f55843e90b155ba7b6bbc42e318a260667b8c62022cca08

C:\Users\Admin\AppData\Roaming\rundll.exe

MD5 fc2a1b816f6eafdad8e16ddffb2d0e6d
SHA1 ebc44b31b897ca7d6b533c15431a7920831437a1
SHA256 ec9df8fb7a59dd03918a819316406a4091f0b5db7f88afee13aa4227d61eb7cd
SHA512 c1f94ec71cc7805f7c3ca199edeed1a5e8254d6d0873c0e6db33ac1bf72c22db8c51a0f9b9a7502092944fa139a6beea7b377de2fd57df780999c25a1e8544b3

C:\Users\Admin\AppData\Roaming\ntldr.dll

MD5 c9b76bea3062300dd2957be713c77ba1
SHA1 8c30562d91ecb2f4ada92ec927c0bbe4ab869ed1
SHA256 2c017cc4fb05277095eb9be218c58e6041d985510f36678ec32bb4f74d7c493e
SHA512 0cb98c144720164c525d7b23de0b23e5eb27e5461f2823932a4420983a99a81ab7860e4b200bbd40a1d3e74ed2264418957cbb511a5bc0c1d5202a84dda4b089

memory/3368-43-0x0000000000400000-0x0000000000569000-memory.dmp

memory/3316-42-0x00000000008B0000-0x00000000008E2000-memory.dmp

memory/5300-47-0x0000000003CD0000-0x0000000003D02000-memory.dmp

memory/5300-58-0x0000000003CD0000-0x0000000003D02000-memory.dmp

memory/3316-60-0x00000000008B0000-0x00000000008E2000-memory.dmp

memory/3316-59-0x0000000000400000-0x000000000046F000-memory.dmp