njrat | efa52eaf124f191c42b55e40d719ca1382d9953280741debb07a32aba87d45a6

General

Target

a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
Size

179KB
MD5

a019524e37f4d720d524b115b5d83f0c
SHA1

d6966cb69cea2c3b8eec893210a1efd80cfc3179
SHA256

efa52eaf124f191c42b55e40d719ca1382d9953280741debb07a32aba87d45a6
SHA512

375e5b58e99695b69c93b456ef0c13f7efd9e2bab79228136d0350b4fd137b6fd449469fc10265a019f75897a9f70f6c8a6509135b3cd95ff70f34b203697a33
SSDEEP

3072:IzlnaCPE9mf6TLSsEhWD9OP7vN4GHJFV6SFBE48giTzBG4LA0w6zH0vvEdvuB91z:IzFaEEAfaSsU8ODBJX6SFozBA0w6zUnZ

Score

10^/10

njrat lammer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

C2

anonymouskillerbr1.duckdns.org:8080

Mutex

061718407ec7ca758146cb8944a62980

Attributes

reg_key
061718407ec7ca758146cb8944a62980
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1752 netsh.exe

pid	process
1752	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exea019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exeTeste.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	Teste.exe

Drops startup file 2 IoCs

Processes:

Teste.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\061718407ec7ca758146cb8944a62980.exe	Teste.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\061718407ec7ca758146cb8944a62980.exe	Teste.exe

Executes dropped EXE 4 IoCs

Processes:

Teste.exeTeste.exeTeste.exeTeste.exe

pid process

3176 Teste.exe
5012 Teste.exe
2524 Teste.exe
1992 Teste.exe

pid	process
3176	Teste.exe
5012	Teste.exe
2524	Teste.exe
1992	Teste.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Teste.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\061718407ec7ca758146cb8944a62980 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Teste.exe\" .."	Teste.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\061718407ec7ca758146cb8944a62980 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Teste.exe\" .."	Teste.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exea019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exea019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exeTeste.exeTeste.exeTeste.exe

description	pid	process	target process
PID 1696 set thread context of 1844	1696	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1844 set thread context of 936	1844	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 set thread context of 1868	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 3176 set thread context of 5012	3176	Teste.exe	Teste.exe
PID 5012 set thread context of 2524	5012	Teste.exe	Teste.exe
PID 2524 set thread context of 1992	2524	Teste.exe	Teste.exe

Drops file in Windows directory 4 IoCs

Processes:

a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exeTeste.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	Teste.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	Teste.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1192 schtasks.exe
3956 schtasks.exe

pid	process
1192	schtasks.exe
3956	schtasks.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

Teste.exe

description	pid	process
Token: SeDebugPrivilege	1992	Teste.exe
Token: 33	1992	Teste.exe
Token: SeIncBasePriorityPrivilege	1992	Teste.exe
Token: 33	1992	Teste.exe
Token: SeIncBasePriorityPrivilege	1992	Teste.exe
Token: 33	1992	Teste.exe
Token: SeIncBasePriorityPrivilege	1992	Teste.exe
Token: 33	1992	Teste.exe
Token: SeIncBasePriorityPrivilege	1992	Teste.exe
Token: 33	1992	Teste.exe
Token: SeIncBasePriorityPrivilege	1992	Teste.exe
Token: 33	1992	Teste.exe
Token: SeIncBasePriorityPrivilege	1992	Teste.exe
Token: 33	1992	Teste.exe
Token: SeIncBasePriorityPrivilege	1992	Teste.exe
Token: 33	1992	Teste.exe
Token: SeIncBasePriorityPrivilege	1992	Teste.exe
Token: 33	1992	Teste.exe
Token: SeIncBasePriorityPrivilege	1992	Teste.exe
Token: 33	1992	Teste.exe
Token: SeIncBasePriorityPrivilege	1992	Teste.exe
Token: 33	1992	Teste.exe
Token: SeIncBasePriorityPrivilege	1992	Teste.exe
Token: 33	1992	Teste.exe
Token: SeIncBasePriorityPrivilege	1992	Teste.exe
Token: 33	1992	Teste.exe
Token: SeIncBasePriorityPrivilege	1992	Teste.exe
Token: 33	1992	Teste.exe
Token: SeIncBasePriorityPrivilege	1992	Teste.exe
Token: 33	1992	Teste.exe
Token: SeIncBasePriorityPrivilege	1992	Teste.exe
Token: 33	1992	Teste.exe
Token: SeIncBasePriorityPrivilege	1992	Teste.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exea019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exea019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exea019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exeTeste.exeTeste.exe

C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe"
2⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Update\HwgugQ" /XML "C:\Users\Admin\AppData\Local\Temp\aggggg.xml"
4⤵
- Creates scheduled task(s)
PID:1192

C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe"
4⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe"
4⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe"
4⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe"
4⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe"
4⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe"
4⤵
PID:380

C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Roaming\Teste.exe
"C:\Users\Admin\AppData\Roaming\Teste.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3176

C:\Users\Admin\AppData\Roaming\Teste.exe
"C:\Users\Admin\AppData\Roaming\Teste.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5012

C:\Users\Admin\AppData\Roaming\Teste.exe
"C:\Users\Admin\AppData\Roaming\Teste.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2524

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Update\HwgugQ" /XML "C:\Users\Admin\AppData\Local\Temp\a55555.xml"
8⤵
- Creates scheduled task(s)
PID:3956

C:\Users\Admin\AppData\Roaming\Teste.exe
"C:\Users\Admin\AppData\Roaming\Teste.exe"
8⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Teste.exe" "Teste.exe" ENABLE
9⤵
- Modifies Windows Firewall
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe.log
Filesize
223B

MD5
cde6529abeea500fb852f29ba0da6115

SHA1
45f2f48492417ae6a0eade8aaa808d3d1d760743

SHA256
d7f4964443470b6729865676d76f5f1f416da633033071c34ea5eb19cdea53b5

SHA512
c95fa7faf6a90f32060dba70f79c4d66c68d6eec587306fb98f36fc3ba5d377ebf9dabf47298b71db208fb10f7ccb4e0ed82236c8f26bcc746552588bbb38234

Download Submit
C:\Users\Admin\AppData\Local\Temp\aggggg.xml
Filesize
1KB

MD5
42c3e13bc525b0d910d511f547c0ba6d

SHA1
c7e62d35212b1a74ff9261ccabd3c78d3d93aab2

SHA256
8d3d3fcc7e7d65f1b3ffc77593a676dc913e0ac1169872d298c3b4f72a15d080

SHA512
12f020ae413d09ee86228ae7db1d79882c8fce9eebcfef32472aa47310358c858b37edcc489d77081c279472519624144e43297707bd92f74fe72051b689a924

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
Filesize
390B

MD5
a3b44a9c9c25c284e59a79cca9032024

SHA1
acdff56d7f339fdd5daafbcc3b2b6a8366e60e37

SHA256
bdf12545e3d1d344ae607054acf23832b2afd1e61c4c7a966ee1f99e85974191

SHA512
32e5d8326e31b00a5c6f0b4fd9fffac8dc829dd386939b24f74d3c4bdc42daa0034098526f45655208b2b7d39bc6a6f739ba7e1ead3104a6bdd929e311a620cd

Download Submit
C:\Users\Admin\AppData\Roaming\Teste.exe
Filesize
179KB

MD5
a019524e37f4d720d524b115b5d83f0c

SHA1
d6966cb69cea2c3b8eec893210a1efd80cfc3179

SHA256
efa52eaf124f191c42b55e40d719ca1382d9953280741debb07a32aba87d45a6

SHA512
375e5b58e99695b69c93b456ef0c13f7efd9e2bab79228136d0350b4fd137b6fd449469fc10265a019f75897a9f70f6c8a6509135b3cd95ff70f34b203697a33

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
Filesize
820B

MD5
a5f2d6f4b9866a5abf6cc696d499be4b

SHA1
442a5ced89eb2837957c255deaa2f3659f986a63

SHA256
7aa44e5cb81085f4d74b925a5cae116a3ae6dfe66eb54438ca8695e9e736de58

SHA512
37abca77062980537e57ffd72c5ed53bab6f2fae854103ecc4da0987dd930c6faf12777d199140d36ed778eb1b9dc11562d54ba7b65c1329d2b2aff747ff7bb0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
Filesize
478B

MD5
af00ead251ceb043a35cf559bd0dd049

SHA1
f5e3d42d244daf3c4cfb5c4aca4644fc1f65ff9d

SHA256
2af4420f80b27fac120b86b8a1ac71f7557674ed0b41aa053444ca7c8d9dfd82

SHA512
3337379587f1f149754a9cfb70859c67ce59234f44be58faef1f1d30fb40e8337e2bae02e50ede452fc86a9ee24c45513879f0f90a84f19a96477a051f4b9fcd

Download Submit
memory/936-33-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/936-23-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/936-12-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/936-14-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/936-26-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/936-16-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1696-2-0x0000000001AB0000-0x0000000001AC0000-memory.dmp

Filesize
64KB

Download
memory/1696-25-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/1696-1-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/1696-0-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/1844-4-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1844-18-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/1844-13-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/1844-15-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/1844-5-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1844-24-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/1844-3-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1868-34-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/1868-35-0x0000000001940000-0x0000000001950000-memory.dmp

Filesize
64KB

Download
memory/1868-30-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1868-47-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/1868-29-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1868-28-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1992-94-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download
memory/1992-93-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/1992-90-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download
memory/1992-91-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/1992-89-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/2524-80-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/2524-81-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download
memory/2524-88-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/3176-67-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/3176-51-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/3176-49-0x00000000015B0000-0x00000000015C0000-memory.dmp

Filesize
64KB

Download
memory/3176-48-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/5012-72-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/5012-76-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/5012-70-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/5012-68-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download

description	pid	process	target process
PID 1696 wrote to memory of 4524	1696	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1696 wrote to memory of 4524	1696	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1696 wrote to memory of 4524	1696	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1696 wrote to memory of 1844	1696	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1696 wrote to memory of 1844	1696	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1696 wrote to memory of 1844	1696	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1696 wrote to memory of 1844	1696	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1696 wrote to memory of 1844	1696	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1696 wrote to memory of 1844	1696	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1696 wrote to memory of 1844	1696	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1696 wrote to memory of 1844	1696	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1844 wrote to memory of 936	1844	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1844 wrote to memory of 936	1844	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1844 wrote to memory of 936	1844	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1844 wrote to memory of 936	1844	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1844 wrote to memory of 936	1844	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1844 wrote to memory of 936	1844	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1844 wrote to memory of 936	1844	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1844 wrote to memory of 936	1844	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 1192	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	schtasks.exe
PID 936 wrote to memory of 1192	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	schtasks.exe
PID 936 wrote to memory of 1192	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	schtasks.exe
PID 936 wrote to memory of 3504	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 3504	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 3504	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 2496	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 2496	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 2496	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 3660	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 3660	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 3660	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 384	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 384	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 384	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 4540	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 4540	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 4540	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 380	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 380	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 380	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 1868	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 1868	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 1868	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 1868	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 1868	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 1868	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 1868	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 936 wrote to memory of 1868	936	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 1868 wrote to memory of 3176	1868	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	Teste.exe
PID 1868 wrote to memory of 3176	1868	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	Teste.exe
PID 1868 wrote to memory of 3176	1868	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	Teste.exe
PID 3176 wrote to memory of 5012	3176	Teste.exe	Teste.exe
PID 3176 wrote to memory of 5012	3176	Teste.exe	Teste.exe
PID 3176 wrote to memory of 5012	3176	Teste.exe	Teste.exe
PID 3176 wrote to memory of 5012	3176	Teste.exe	Teste.exe
PID 3176 wrote to memory of 5012	3176	Teste.exe	Teste.exe
PID 3176 wrote to memory of 5012	3176	Teste.exe	Teste.exe
PID 3176 wrote to memory of 5012	3176	Teste.exe	Teste.exe
PID 3176 wrote to memory of 5012	3176	Teste.exe	Teste.exe
PID 5012 wrote to memory of 2524	5012	Teste.exe	Teste.exe
PID 5012 wrote to memory of 2524	5012	Teste.exe	Teste.exe
PID 5012 wrote to memory of 2524	5012	Teste.exe	Teste.exe
PID 5012 wrote to memory of 2524	5012	Teste.exe	Teste.exe
PID 5012 wrote to memory of 2524	5012	Teste.exe	Teste.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads