Malware Analysis Report

2025-05-28 17:24

Sample ID 250516-mhyztssqw8
Target JaffaCakes118_05895a9a51666b349018181c47a225dd
SHA256 7686f055f8b252f4896523a8991be23fdd27da4cd1c71e012c6f9643c3ba587a
Tags
dridex botnet defense_evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7686f055f8b252f4896523a8991be23fdd27da4cd1c71e012c6f9643c3ba587a

Threat Level: Known bad

The file JaffaCakes118_05895a9a51666b349018181c47a225dd was found to be: Known bad.

Malicious Activity Summary

dridex botnet defense_evasion payload persistence trojan

Dridex

Dridex family

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-16 10:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-16 10:28

Reported

2025-05-16 10:31

Platform

win11-20250502-en

Max time kernel

145s

Max time network

103s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05895a9a51666b349018181c47a225dd.dll

Signatures

Dridex

botnet dridex

Dridex family

dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hmgiyc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\pK2hnxVf\\msra.exe" N/A N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\qpz6Cm\wusa.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\TuB5\msra.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\pK2hnxVf\msra.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3176 wrote to memory of 4476 N/A N/A C:\Windows\system32\wusa.exe
PID 3176 wrote to memory of 4476 N/A N/A C:\Windows\system32\wusa.exe
PID 3176 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\qpz6Cm\wusa.exe
PID 3176 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\qpz6Cm\wusa.exe
PID 3176 wrote to memory of 3720 N/A N/A C:\Windows\system32\msra.exe
PID 3176 wrote to memory of 3720 N/A N/A C:\Windows\system32\msra.exe
PID 3176 wrote to memory of 3768 N/A N/A C:\Users\Admin\AppData\Local\TuB5\msra.exe
PID 3176 wrote to memory of 3768 N/A N/A C:\Users\Admin\AppData\Local\TuB5\msra.exe
PID 3176 wrote to memory of 4768 N/A N/A C:\Windows\system32\cmd.exe
PID 3176 wrote to memory of 4768 N/A N/A C:\Windows\system32\cmd.exe
PID 3176 wrote to memory of 3440 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3176 wrote to memory of 3440 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 4768 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\pK2hnxVf\msra.exe
PID 4768 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\pK2hnxVf\msra.exe
PID 3176 wrote to memory of 4856 N/A N/A C:\Users\Admin\AppData\Local\3v5zp\MusNotificationUx.exe
PID 3176 wrote to memory of 4856 N/A N/A C:\Users\Admin\AppData\Local\3v5zp\MusNotificationUx.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05895a9a51666b349018181c47a225dd.dll

C:\Windows\system32\wusa.exe

C:\Windows\system32\wusa.exe

C:\Users\Admin\AppData\Local\qpz6Cm\wusa.exe

C:\Users\Admin\AppData\Local\qpz6Cm\wusa.exe

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

C:\Users\Admin\AppData\Local\TuB5\msra.exe

C:\Users\Admin\AppData\Local\TuB5\msra.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\pK2hnxVf\msra.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\pK2hnxVf\msra.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\pK2hnxVf\msra.exe

C:\Users\Admin\AppData\Local\3v5zp\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\3v5zp\MusNotificationUx.exe

Network

Files

memory/408-0-0x00000000012C0000-0x00000000012C7000-memory.dmp

memory/408-2-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-4-0x0000000003220000-0x0000000003221000-memory.dmp

memory/3176-6-0x00007FF96BC57000-0x00007FF96BC58000-memory.dmp

memory/3176-9-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-43-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-66-0x00007FF96C0D0000-0x00007FF96C0E0000-memory.dmp

C:\Users\Admin\AppData\Local\qpz6Cm\WTSAPI32.dll

MD5 9e432185c3554d8c9bb2ad5cf6e7f369
SHA1 c8bad84edbaced02a312fc681e9b24d566c01156
SHA256 1df0350169a64c9e93263f9aea3d55527ce9148bdc6778f4780d02b49be2256f
SHA512 b72ca31b68a135ce9e24213bd750d1b5acea04c1ec82da1b874beae18833005b44b87fdbc08388e89c22f16d641c9abd58ca57464578eb33dd1dbf07e7547f05

C:\Users\Admin\AppData\Local\qpz6Cm\wusa.exe

MD5 297ce1cb7c6ce8ef6f5655ec78e4c667
SHA1 986422155a1509a0ee0dfe8098623f1158ad69c5
SHA256 50af95b82a9fc4f25b5443b2582bc76ef8fdd64792bb8da9b64ec7312da37452
SHA512 2e436801f2f64e816b0f4b80dbe60d350c1d48956d059e55a25c8d1d66311cbd6b59ed1deeec2524c6dedb7efc97ceca5e061f70be06fa7e4872cfa8079519cb

memory/3176-65-0x0000000003200000-0x0000000003207000-memory.dmp

memory/3176-42-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/408-37-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-31-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-29-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-62-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-60-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-51-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-44-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-35-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-34-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-33-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-32-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-26-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-23-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-24-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/456-79-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/456-78-0x000001DF610D0000-0x000001DF610D7000-memory.dmp

memory/456-73-0x0000000140000000-0x00000001401C7000-memory.dmp

C:\Users\Admin\AppData\Local\TuB5\UxTheme.dll

MD5 ad5159299c26d1b247a381c168506623
SHA1 8c3dcab3228068259eba6f77677d71c70f0d4985
SHA256 7319df49fe6bda1fdb251dc86e86fc8282efbf34dd51507b45571a0c5ad16904
SHA512 d787bb21c35a82f51a60cfac42b814e1cad2c36d9c05f3a3bc658c01c03458ae7dd14f52021e48f98b341de1546f3f993bff4334b74f20e350e65874d2a761aa

memory/3768-95-0x00000180E6B60000-0x00000180E6B67000-memory.dmp

memory/3768-96-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3176-101-0x0000000001180000-0x0000000001181000-memory.dmp

C:\Users\Admin\AppData\Local\3v5zp\XmlLite.dll

MD5 466a2b040952a64fa99b57d9c564c9bf
SHA1 5ec5436d6937315d0216b71924af1b0a8205c976
SHA256 5e541795221359fcc7c94d0ee9c6316e45ec50604691e42227055802492542a1
SHA512 b79db31c906c8f91e0e3f8103e4e7730a2adf269ea965b9ac563bda8130050beac62ff3705f2dc167f66ff15f2dfd3f05126d6d21c0930eae367e247f0d00b21

C:\Users\Admin\AppData\Local\3v5zp\MusNotificationUx.exe

MD5 3a7a37e56522dd8c1fba1e29c2e07310
SHA1 7f20d25cc7e75cf7f2eaaebe4c325a9f6f356a5a
SHA256 8bf9d26a4bdc399ea5430d4e09f1bd4c5a1c3f2fe2672c510de6611554809b34
SHA512 65340cf36a072a56c43a6da8a1aa560f89fc907a3b18b4f8c13b84beb9c1bff53247ace2aa3f7d9fc640c086119741d573ee6a3f6805e334ae26021627132de7

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\pK2hnxVf\msra.exe

MD5 e401bb7f426a3a20c992dd8912ed0e62
SHA1 64ec59c88afe708b20e9df4349dee59ca217ee78
SHA256 5ad43163063b6caa94102c480f3738848565e72898c021968ec29d53ae133df6
SHA512 1cb68867ba3572341d72cc15c0bff2ddd561f16b5e92b90d6ee6459341f87bda357fa7c997f48fad9ef29e88c1eb3ccd5d7f9796155ff802236f3bde0c3b1793

memory/3176-22-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-21-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-20-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-19-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-14-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-13-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-12-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-11-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-10-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-39-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-41-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-40-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-38-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-36-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-30-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-27-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-28-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-25-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-7-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-18-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-17-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-15-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-16-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3176-8-0x0000000140000000-0x00000001401C6000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Bmwfmsvcld.lnk

MD5 2955cb4725d774954c60faf6d042c3d5
SHA1 dd3bd2949f6b8b20558db2a3a5135bb99041a9c5
SHA256 a5bfebabd4f2a071d3623b508ad8d88fe80d8756c4150521222792812180bfe5
SHA512 a70a16a487a160eb33ad8324c95eacb82c3d9109eb8019c5885444f402bbc5dd19d7124d3daef19db3a713f6bda6a6c0004ba1a8d5d0a9e87267fed5a98b92b7

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-16 10:28

Reported

2025-05-16 10:31

Platform

win10v2004-20250502-en

Max time kernel

140s

Max time network

144s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05895a9a51666b349018181c47a225dd.dll

Signatures

Dridex

botnet dridex

Dridex family

dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rqmyye = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~2\\aJ\\mfpmp.exe" N/A N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\W7Nor\phoneactivate.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ktWtT\mfpmp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ypjmI4Lx\quickassist.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~2\aJ\mfpmp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3580 wrote to memory of 5020 N/A N/A C:\Windows\system32\phoneactivate.exe
PID 3580 wrote to memory of 5020 N/A N/A C:\Windows\system32\phoneactivate.exe
PID 3580 wrote to memory of 5556 N/A N/A C:\Users\Admin\AppData\Local\W7Nor\phoneactivate.exe
PID 3580 wrote to memory of 5556 N/A N/A C:\Users\Admin\AppData\Local\W7Nor\phoneactivate.exe
PID 3580 wrote to memory of 4324 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3580 wrote to memory of 4324 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3580 wrote to memory of 4992 N/A N/A C:\Users\Admin\AppData\Local\ktWtT\mfpmp.exe
PID 3580 wrote to memory of 4992 N/A N/A C:\Users\Admin\AppData\Local\ktWtT\mfpmp.exe
PID 3580 wrote to memory of 3404 N/A N/A C:\Windows\system32\cmd.exe
PID 3580 wrote to memory of 3404 N/A N/A C:\Windows\system32\cmd.exe
PID 3580 wrote to memory of 1556 N/A N/A C:\Windows\system32\quickassist.exe
PID 3580 wrote to memory of 1556 N/A N/A C:\Windows\system32\quickassist.exe
PID 3580 wrote to memory of 4840 N/A N/A C:\Users\Admin\AppData\Local\ypjmI4Lx\quickassist.exe
PID 3580 wrote to memory of 4840 N/A N/A C:\Users\Admin\AppData\Local\ypjmI4Lx\quickassist.exe
PID 3404 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~2\aJ\mfpmp.exe
PID 3404 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~2\aJ\mfpmp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05895a9a51666b349018181c47a225dd.dll

C:\Windows\system32\phoneactivate.exe

C:\Windows\system32\phoneactivate.exe

C:\Users\Admin\AppData\Local\W7Nor\phoneactivate.exe

C:\Users\Admin\AppData\Local\W7Nor\phoneactivate.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Users\Admin\AppData\Local\ktWtT\mfpmp.exe

C:\Users\Admin\AppData\Local\ktWtT\mfpmp.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~2\aJ\mfpmp.exe

C:\Windows\system32\quickassist.exe

C:\Windows\system32\quickassist.exe

C:\Users\Admin\AppData\Local\ypjmI4Lx\quickassist.exe

C:\Users\Admin\AppData\Local\ypjmI4Lx\quickassist.exe

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~2\aJ\mfpmp.exe

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~2\aJ\mfpmp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp

Files

memory/1460-0-0x00000000008F0000-0x00000000008F7000-memory.dmp

memory/1460-1-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-6-0x00007FFCE929A000-0x00007FFCE929B000-memory.dmp

memory/3580-4-0x00000000009B0000-0x00000000009B1000-memory.dmp

memory/3580-8-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-41-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/5556-79-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/5556-78-0x000001B7B1000000-0x000001B7B1007000-memory.dmp

memory/5556-73-0x0000000140000000-0x00000001401C7000-memory.dmp

C:\Users\Admin\AppData\Local\W7Nor\SLC.dll

MD5 0d4d78dfacafb264d82ae485dd56b20c
SHA1 b3b28d2e791c4fa8af3ac08674be84785ff112ef
SHA256 66b93b38822ea2f28bbe8556c3aabdc93973726a0e9cddbe56f464353b240cc9
SHA512 d7aff5e9a95e6ce09fded4b97d475a3f0be909330d94b06fe4cbe773041e6244b52594d96da02903a3c1bef0032cbabf1366e0b2a55a9fa5f70b11718ffef213

C:\Users\Admin\AppData\Local\W7Nor\phoneactivate.exe

MD5 32c31f06e0b68f349f68afdd08e45f3d
SHA1 e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c
SHA256 cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017
SHA512 fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26

memory/3580-69-0x00007FFCEA7C0000-0x00007FFCEA7D0000-memory.dmp

memory/3580-68-0x00000000029C0000-0x00000000029C7000-memory.dmp

memory/3580-27-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-62-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-60-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-51-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-44-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-43-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-42-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-40-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-39-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-38-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-35-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-33-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-32-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-29-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-28-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-26-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-25-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-24-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-23-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-22-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-21-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-19-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-16-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1460-17-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-15-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-14-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-13-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-12-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-11-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-10-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-9-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-37-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-36-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-34-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-31-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-30-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-20-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-18-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3580-7-0x0000000140000000-0x00000001401C6000-memory.dmp

C:\Users\Admin\AppData\Local\ktWtT\mfpmp.exe

MD5 8f8fd1988973bac0c5244431473b96a5
SHA1 ce81ea37260d7cafe27612606cf044921ad1304c
SHA256 27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e
SHA512 a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

C:\Users\Admin\AppData\Local\ktWtT\MFPlat.DLL

MD5 d655a5e31aeaccada4d7a6a880d83ea7
SHA1 ffcbfc13b868b5407ff528c02e6744465b34376a
SHA256 0b6179fe70e2bc3f68f053ea55b73bebdd80b540574318e7ed68d283773b0da6
SHA512 18c08be2c0a371dbfdb458c5eae9bbc02db08983406b83c22391ab4fe963f47ee675d150c4a549c1c80d21e4343eeebf6eb4dab07685a7804a664866b24401dc

memory/4992-96-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/4992-91-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/4992-90-0x0000019413D30000-0x0000019413D37000-memory.dmp

memory/3580-103-0x0000000002A00000-0x0000000002A01000-memory.dmp

C:\Users\Admin\AppData\Local\ypjmI4Lx\quickassist.exe

MD5 d1216f9b9a64fd943539cc2b0ddfa439
SHA1 6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c
SHA256 c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2
SHA512 c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

C:\Users\Admin\AppData\Local\ypjmI4Lx\UxTheme.dll

MD5 b0dcced8ccd7b7d0cbbf295ac8397e84
SHA1 dde1ca34bc74005b69903062671d81df7f2ba445
SHA256 a23f6fedb648a5e503545932233ff6afa0190751805e11df01970a502b9f6522
SHA512 9e054a2e313ea8d17d0c812847c0196e840715929d331ae01db9033f89c1ccaaf40be6124592768de89e9452c4b9d00b673340eeb5e803888ce53607dd350b43

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Myjqnequepv.lnk

MD5 d4dda46d1ee76c8d8a4b883bdeb42621
SHA1 a7c394025d060fa428c708fe0e9b1256ed92cd73
SHA256 68b5a9956205a5826e8caead6de7ae4d1422a03364ae7c90c9e9f08ae5da678b
SHA512 5b3eae5e6645412da0173a35bb2c19b04f44006447a3a6be76fb5b42e18b7523fa5ed3fdaae78fffe839c6a06fd7b4ccc9304462ec44bb22d05138a564cd7f5a