gandcrab | 0b8618ea4aea0b213278a41436bde306a71ca9ba9bb9e6f0d33aca1c4373b3b5

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-06-2024 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Size

236KB
MD5

bbb97ca6460707a4f0fecd302a33c9ec
SHA1

3d48df2009d98d75dc88874cf95a49a5e58e4953
SHA256

0b8618ea4aea0b213278a41436bde306a71ca9ba9bb9e6f0d33aca1c4373b3b5
SHA512

d7c1945c051a148bb3b7e9d949e50fdb2bbd206d020ecb77cad37d3a55e438915c9f834563f567c78695672e2122a1a8100803360ff5453c4e9ef70b4d635d7d
SSDEEP

6144:+jP2Wcu1IHJa8ZSc0MBu7m4hEb5ZR/BhDTuEi:+jPqu1+rv1BuFeb5fBtuEi

Score

10^/10

gandcrab backdoor persistence ransomware

Malware Config

Signatures

GandCrab payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2676-260-0x00000000023D0000-0x00000000023E7000-memory.dmp	family_gandcrab
behavioral1/memory/2676-259-0x0000000000400000-0x0000000000B4A000-memory.dmp	family_gandcrab
behavioral1/memory/2676-262-0x0000000000400000-0x0000000000B4A000-memory.dmp	family_gandcrab
behavioral1/memory/2676-271-0x0000000000400000-0x000000000042C000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xmxhenzeuhy = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\esftmq.exe\""	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\G:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\I:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\L:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\Q:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\A:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\E:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\J:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\K:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\N:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\P:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\R:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\V:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\B:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\T:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\U:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\W:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\Y:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\O:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\M:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\S:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\X:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\Z:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
File opened (read-only)	\??\H:	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

Processes:

bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\win.ini bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

pid process

2676 bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
2676 bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

pid	process
2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

description	pid	process
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

description	pid	process	target process
PID 2676 wrote to memory of 2312	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2312	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2312	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2312	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2132	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2132	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2132	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2132	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1400	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1400	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1400	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1400	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1952	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1952	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1952	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1952	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2804	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2804	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2804	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2804	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1232	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1232	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1232	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1232	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1704	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1704	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1704	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1704	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2088	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2088	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2088	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2088	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1368	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1368	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1368	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1368	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2168	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2168	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2168	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2168	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1700	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1700	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1700	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1700	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2324	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2324	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2324	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2324	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1556	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1556	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1556	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1556	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2844	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2844	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2844	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2844	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2972	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2972	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2972	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 2972	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1564	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1564	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1564	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe
PID 2676 wrote to memory of 1564	2676	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2312

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2132

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1400

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1952

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2804

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1232

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1704

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2088

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1368

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2168

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1700

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2324

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1556

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2844

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2972

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1564

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2540

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2640

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2668

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2536

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2664

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2764

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2728

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2036

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2144

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2176

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2980

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1860

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:996

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:800

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2008

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1712

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:540

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:992

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1900

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1112

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:304

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1660

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2288

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2940

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2292

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1720

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2892

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3064

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:684

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1728

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1528

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1288

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:932

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1152

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:412

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:852

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:3068

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1744

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1684

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1588

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2860

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2600

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1880

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2556

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2672

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2704

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2708

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2744

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2736

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2172

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2464

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2872

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1716

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1208

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1096

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2040

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:804

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2480

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2472

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2208

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2220

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2944

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1760

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2452

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1508

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2828

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1904

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1040

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:572

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1596

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1012

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2588

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2260

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:948

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1580

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:636

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:836

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1176

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2356

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2848

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:3008

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2520

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2560

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2812

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini
Filesize
3KB

MD5
7800c7c83befa0d9d9772cd10be2b854

SHA1
ed4ef647e9d9ca7e896a61df4269378eacf93161

SHA256
6106cdbd066c431540d3b4e013db06403cc0a7b5a93f8936529e6b02a15e61aa

SHA512
5acaa6e3e03855bd40692df9a86812a630e543cf98dba07c5d78d50bf3a306e63678109e7274e6abb46093115a2113c8af5edebb33a1b39bd9ab63eb5dba403b

Download Submit
C:\Windows\win.ini
Filesize
6KB

MD5
0b72eaff202b8e905d8ecfbed7605c1b

SHA1
baa9b72d4d9c62dd650a8d40ff0ef82c77660a18

SHA256
9bbe4d41838d2ddff869a807230bc49842f20a8c70042920b5ad023862aeb14f

SHA512
e77877f22e78387c56bd8c2fc687a6555fada606c7cabdaa7c0238c59cf7d9e9eecab34482e683cfce0eed1b8b09a699415e4319deb06556e41d629b375c61fe

Download Submit
memory/2676-257-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2676-258-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2676-260-0x00000000023D0000-0x00000000023E7000-memory.dmp

Filesize
92KB

Download
memory/2676-259-0x0000000000400000-0x0000000000B4A000-memory.dmp

Filesize
7.3MB

Download
memory/2676-262-0x0000000000400000-0x0000000000B4A000-memory.dmp

Filesize
7.3MB

Download
memory/2676-269-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2676-271-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download