Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 19:02
Static task
static1
Behavioral task
behavioral1
Sample
a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
a414244ecb89d5bdc1a0ece12bb2c2a9
-
SHA1
fb2c07209b248f612f48a898f449da88b2624fd9
-
SHA256
59822012b04406a3df0f5893619e6129398134fc922d53ff1f1c9a6daf803f5b
-
SHA512
f0468ac67445f92a55d1f1511a169f8cada6235209dea67b133c9010201f220d4165e16d8bc50a5385f098d8733bac3ea91f4f270ea605e5768d20e40cc927e9
-
SSDEEP
24576:8uPmLDUMihIXCE5y8FyDgy7dml+i2rYNapO:8u+LIIX7Y8t+iiYN2O
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 36 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe -
Executes dropped EXE 20 IoCs
pid Process 4352 Isass.exe 2564 Isass.exe 3108 Isass.exe 4544 Isass.exe 4064 Isass.exe 4408 Isass.exe 824 Isass.exe 5048 Isass.exe 4368 Isass.exe 2344 Isass.exe 2616 Isass.exe 644 Isass.exe 4524 Isass.exe 2408 Isass.exe 1100 Isass.exe 4684 Isass.exe 4104 Isass.exe 1516 Isass.exe 5024 Isass.exe 5048 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5020 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 5020 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 4352 Isass.exe 4352 Isass.exe 2564 Isass.exe 2564 Isass.exe 2564 Isass.exe 2564 Isass.exe 2564 Isass.exe 2564 Isass.exe 2324 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2324 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 3108 Isass.exe 3108 Isass.exe 3108 Isass.exe 3108 Isass.exe 3108 Isass.exe 3108 Isass.exe 3292 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 3292 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 4544 Isass.exe 4544 Isass.exe 4544 Isass.exe 4544 Isass.exe 4544 Isass.exe 4544 Isass.exe 5080 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 5080 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 4064 Isass.exe 4064 Isass.exe 4064 Isass.exe 4064 Isass.exe 4064 Isass.exe 4064 Isass.exe 4476 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 4476 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 4408 Isass.exe 4408 Isass.exe 4408 Isass.exe 4408 Isass.exe 4408 Isass.exe 4408 Isass.exe 4692 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 4692 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 824 Isass.exe 824 Isass.exe 824 Isass.exe 824 Isass.exe 824 Isass.exe 824 Isass.exe 4932 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 4932 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 5048 Isass.exe 5048 Isass.exe 5048 Isass.exe 5048 Isass.exe 5048 Isass.exe 5048 Isass.exe 4576 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 4576 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 4368 Isass.exe 4368 Isass.exe 4368 Isass.exe 4368 Isass.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5048 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 5048 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 5048 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5020 wrote to memory of 4352 5020 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 87 PID 5020 wrote to memory of 4352 5020 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 87 PID 5020 wrote to memory of 4352 5020 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 87 PID 5020 wrote to memory of 2564 5020 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 89 PID 5020 wrote to memory of 2564 5020 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 89 PID 5020 wrote to memory of 2564 5020 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 89 PID 2564 wrote to memory of 2324 2564 Isass.exe 90 PID 2564 wrote to memory of 2324 2564 Isass.exe 90 PID 2564 wrote to memory of 2324 2564 Isass.exe 90 PID 2324 wrote to memory of 3108 2324 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 91 PID 2324 wrote to memory of 3108 2324 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 91 PID 2324 wrote to memory of 3108 2324 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 91 PID 3108 wrote to memory of 3292 3108 Isass.exe 93 PID 3108 wrote to memory of 3292 3108 Isass.exe 93 PID 3108 wrote to memory of 3292 3108 Isass.exe 93 PID 3292 wrote to memory of 4544 3292 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 94 PID 3292 wrote to memory of 4544 3292 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 94 PID 3292 wrote to memory of 4544 3292 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 94 PID 4544 wrote to memory of 5080 4544 Isass.exe 95 PID 4544 wrote to memory of 5080 4544 Isass.exe 95 PID 4544 wrote to memory of 5080 4544 Isass.exe 95 PID 5080 wrote to memory of 4064 5080 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 96 PID 5080 wrote to memory of 4064 5080 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 96 PID 5080 wrote to memory of 4064 5080 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 96 PID 4064 wrote to memory of 4476 4064 Isass.exe 126 PID 4064 wrote to memory of 4476 4064 Isass.exe 126 PID 4064 wrote to memory of 4476 4064 Isass.exe 126 PID 4476 wrote to memory of 4408 4476 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 98 PID 4476 wrote to memory of 4408 4476 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 98 PID 4476 wrote to memory of 4408 4476 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 98 PID 4408 wrote to memory of 4692 4408 Isass.exe 99 PID 4408 wrote to memory of 4692 4408 Isass.exe 99 PID 4408 wrote to memory of 4692 4408 Isass.exe 99 PID 4692 wrote to memory of 824 4692 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 100 PID 4692 wrote to memory of 824 4692 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 100 PID 4692 wrote to memory of 824 4692 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 100 PID 824 wrote to memory of 4932 824 Isass.exe 101 PID 824 wrote to memory of 4932 824 Isass.exe 101 PID 824 wrote to memory of 4932 824 Isass.exe 101 PID 4932 wrote to memory of 5048 4932 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 130 PID 4932 wrote to memory of 5048 4932 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 130 PID 4932 wrote to memory of 5048 4932 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 130 PID 5048 wrote to memory of 4576 5048 Isass.exe 103 PID 5048 wrote to memory of 4576 5048 Isass.exe 103 PID 5048 wrote to memory of 4576 5048 Isass.exe 103 PID 4576 wrote to memory of 4368 4576 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 104 PID 4576 wrote to memory of 4368 4576 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 104 PID 4576 wrote to memory of 4368 4576 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 104 PID 4368 wrote to memory of 4676 4368 Isass.exe 105 PID 4368 wrote to memory of 4676 4368 Isass.exe 105 PID 4368 wrote to memory of 4676 4368 Isass.exe 105 PID 4676 wrote to memory of 2344 4676 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 106 PID 4676 wrote to memory of 2344 4676 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 106 PID 4676 wrote to memory of 2344 4676 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 106 PID 2344 wrote to memory of 4600 2344 Isass.exe 107 PID 2344 wrote to memory of 4600 2344 Isass.exe 107 PID 2344 wrote to memory of 4600 2344 Isass.exe 107 PID 4600 wrote to memory of 2616 4600 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 108 PID 4600 wrote to memory of 2616 4600 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 108 PID 4600 wrote to memory of 2616 4600 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 108 PID 2616 wrote to memory of 2124 2616 Isass.exe 111 PID 2616 wrote to memory of 2124 2616 Isass.exe 111 PID 2616 wrote to memory of 2124 2616 Isass.exe 111 PID 2124 wrote to memory of 644 2124 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4352
-
-
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"5⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"7⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"9⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"11⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"13⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"15⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"17⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"19⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"21⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe22⤵
- Checks computer location settings
- Executes dropped EXE
PID:644 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"23⤵
- Checks computer location settings
PID:1440 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe24⤵
- Checks computer location settings
- Executes dropped EXE
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"25⤵
- Checks computer location settings
PID:4328 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe26⤵
- Checks computer location settings
- Executes dropped EXE
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"27⤵
- Checks computer location settings
PID:4996 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe28⤵
- Checks computer location settings
- Executes dropped EXE
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"29⤵
- Checks computer location settings
PID:628 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe30⤵
- Checks computer location settings
- Executes dropped EXE
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"31⤵
- Checks computer location settings
PID:1696 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe32⤵
- Checks computer location settings
- Executes dropped EXE
PID:4104 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"33⤵
- Checks computer location settings
PID:4476 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe34⤵
- Checks computer location settings
- Executes dropped EXE
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"35⤵
- Checks computer location settings
PID:852 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe36⤵
- Checks computer location settings
- Executes dropped EXE
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5048
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
452KB
MD5276c1b7f46b8488344e85387c9ce6e80
SHA12901f43aa439f48baf786018696546e580ba9880
SHA256608c5265075bacf05353a4d816fe815ec1ba2e95bb88313d5cf38655274841be
SHA5125e02be9cfd27c3de2e17618958c5b82b38ef402ca59c260a1c93e2b0ac30871be29f43b3f160c8adb9c56061f5138db33a07e172c7c445c62fe0cd78f5fd1c8f
-
Filesize
624KB
MD5dedd8708721873baf3d803c3554dc7dd
SHA1070047ee6b6fe52be226009c817370f6e69f9d31
SHA256529b1a8217a932c507302ad85cd050d294316c7155122026ea11ef0233397685
SHA512913bac5400e1fcdff288521a1832330566d2c136e899f4a60874509dd0837d09b3b474af57da951fd50f1a8abdad2edfd0a463827b4f1b7dbbfd5a9cf7d3fd92
-
Filesize
5.7MB
MD5d8055cda69331f4f37c18884d24833de
SHA1ac89e8d5a454621904706379a23eb239fbf13de0
SHA25606855835067e1e441ae668647e35c8118993b24356bc00b03c0744d88dbc419d
SHA512a1849831a5c160e2d023fe09af4cccad39ac0725315f6936c8858e9315769a05bd59a91db6c7493b1a208f5c86cd833e95715a1fa853c1aed39608fcd2ab9445