Analysis Overview
SHA256
59822012b04406a3df0f5893619e6129398134fc922d53ff1f1c9a6daf803f5b
Threat Level: Shows suspicious behavior
The file a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 19:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 19:02
Reported
2024-04-03 19:04
Platform
win7-20240221-en
Max time kernel
140s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| N/A | N/A | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
Network
Files
C:\Users\Public\Microsoft Build\Isass.exe
| MD5 | dedd8708721873baf3d803c3554dc7dd |
| SHA1 | 070047ee6b6fe52be226009c817370f6e69f9d31 |
| SHA256 | 529b1a8217a932c507302ad85cd050d294316c7155122026ea11ef0233397685 |
| SHA512 | 913bac5400e1fcdff288521a1832330566d2c136e899f4a60874509dd0837d09b3b474af57da951fd50f1a8abdad2edfd0a463827b4f1b7dbbfd5a9cf7d3fd92 |
memory/1720-14-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2192-15-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2608-20-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2672-23-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2256-28-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2480-34-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2624-37-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2476-42-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2908-45-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/1108-50-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/1108-51-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2268-52-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2716-56-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2268-54-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/1988-61-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/308-62-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/308-63-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/1988-58-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/1824-68-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/1584-66-0x0000000000400000-0x00000000016A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
| MD5 | 276c1b7f46b8488344e85387c9ce6e80 |
| SHA1 | 2901f43aa439f48baf786018696546e580ba9880 |
| SHA256 | 608c5265075bacf05353a4d816fe815ec1ba2e95bb88313d5cf38655274841be |
| SHA512 | 5e02be9cfd27c3de2e17618958c5b82b38ef402ca59c260a1c93e2b0ac30871be29f43b3f160c8adb9c56061f5138db33a07e172c7c445c62fe0cd78f5fd1c8f |
memory/1824-75-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/1584-64-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2716-57-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2908-48-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2532-44-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2532-43-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2476-38-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2624-36-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2480-31-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2620-30-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2620-29-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/2256-24-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/2672-22-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/2608-17-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2192-16-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2384-9-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/1720-0-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2384-76-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2384-79-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2384-80-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2384-87-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2384-88-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2384-96-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2384-97-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2384-103-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2384-104-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2384-113-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2384-114-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2384-125-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2384-126-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2384-138-0x0000000000400000-0x00000000016A3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 19:02
Reported
2024-04-03 19:04
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Microsoft Build\Isass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
C:\Users\Public\Microsoft Build\Isass.exe
"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.122.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
memory/5020-0-0x0000000001AA0000-0x0000000001AA1000-memory.dmp
C:\Users\Public\Microsoft Build\Isass.exe
| MD5 | dedd8708721873baf3d803c3554dc7dd |
| SHA1 | 070047ee6b6fe52be226009c817370f6e69f9d31 |
| SHA256 | 529b1a8217a932c507302ad85cd050d294316c7155122026ea11ef0233397685 |
| SHA512 | 913bac5400e1fcdff288521a1832330566d2c136e899f4a60874509dd0837d09b3b474af57da951fd50f1a8abdad2edfd0a463827b4f1b7dbbfd5a9cf7d3fd92 |
memory/4352-5-0x0000000001A50000-0x0000000001A51000-memory.dmp
memory/2564-8-0x0000000001A70000-0x0000000001A71000-memory.dmp
memory/5020-7-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2324-10-0x0000000001B00000-0x0000000001B01000-memory.dmp
memory/2564-9-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2324-12-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/3108-13-0x0000000003710000-0x0000000003711000-memory.dmp
memory/3292-15-0x0000000003800000-0x0000000003801000-memory.dmp
memory/3108-14-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4544-18-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/3292-17-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4544-19-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/5080-20-0x0000000001A50000-0x0000000001A51000-memory.dmp
memory/4064-23-0x0000000001A60000-0x0000000001A61000-memory.dmp
memory/5080-22-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4064-24-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4476-25-0x0000000001B50000-0x0000000001B51000-memory.dmp
memory/4408-28-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/4476-27-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4692-30-0x0000000001A60000-0x0000000001A61000-memory.dmp
memory/4408-29-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/824-33-0x00000000024A0000-0x00000000024A1000-memory.dmp
memory/4692-32-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4932-35-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/824-34-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/5048-38-0x0000000001B70000-0x0000000001B71000-memory.dmp
memory/4932-37-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/5048-39-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4576-40-0x0000000001A30000-0x0000000001A31000-memory.dmp
memory/4368-43-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/4576-42-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4676-45-0x0000000001A00000-0x0000000001A01000-memory.dmp
memory/4368-44-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2344-48-0x0000000001C70000-0x0000000001C71000-memory.dmp
memory/4600-50-0x0000000001A80000-0x0000000001A81000-memory.dmp
memory/4676-47-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2344-49-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4600-52-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2616-53-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/2616-54-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2124-55-0x0000000002160000-0x0000000002161000-memory.dmp
memory/644-58-0x0000000001A40000-0x0000000001A41000-memory.dmp
memory/2124-57-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/644-59-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/1440-60-0x0000000001B70000-0x0000000001B71000-memory.dmp
memory/1440-62-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4524-63-0x0000000001A30000-0x0000000001A31000-memory.dmp
memory/4328-65-0x0000000001A60000-0x0000000001A61000-memory.dmp
memory/4524-64-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2408-68-0x0000000001A00000-0x0000000001A01000-memory.dmp
memory/4328-67-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/2408-69-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4996-70-0x0000000003810000-0x0000000003811000-memory.dmp
memory/1100-73-0x0000000001A30000-0x0000000001A31000-memory.dmp
memory/4996-72-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/628-75-0x0000000001A50000-0x0000000001A51000-memory.dmp
memory/1100-74-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/628-77-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4684-78-0x0000000001A70000-0x0000000001A71000-memory.dmp
memory/4684-79-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/1696-80-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/1696-82-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4352-83-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4104-84-0x0000000001A60000-0x0000000001A61000-memory.dmp
memory/4476-86-0x0000000001A00000-0x0000000001A01000-memory.dmp
memory/4104-85-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/1516-89-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/4476-88-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/852-91-0x0000000001A60000-0x0000000001A61000-memory.dmp
memory/1516-90-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/852-93-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/5024-94-0x0000000000170000-0x0000000000171000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
| MD5 | 276c1b7f46b8488344e85387c9ce6e80 |
| SHA1 | 2901f43aa439f48baf786018696546e580ba9880 |
| SHA256 | 608c5265075bacf05353a4d816fe815ec1ba2e95bb88313d5cf38655274841be |
| SHA512 | 5e02be9cfd27c3de2e17618958c5b82b38ef402ca59c260a1c93e2b0ac30871be29f43b3f160c8adb9c56061f5138db33a07e172c7c445c62fe0cd78f5fd1c8f |
memory/5024-105-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4352-111-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4352-112-0x0000000000400000-0x00000000016A3000-memory.dmp
C:\odt\office2016setup.exe
| MD5 | d8055cda69331f4f37c18884d24833de |
| SHA1 | ac89e8d5a454621904706379a23eb239fbf13de0 |
| SHA256 | 06855835067e1e441ae668647e35c8118993b24356bc00b03c0744d88dbc419d |
| SHA512 | a1849831a5c160e2d023fe09af4cccad39ac0725315f6936c8858e9315769a05bd59a91db6c7493b1a208f5c86cd833e95715a1fa853c1aed39608fcd2ab9445 |
memory/4352-116-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4352-117-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4352-122-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4352-123-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4352-132-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4352-133-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4352-140-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4352-141-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4352-153-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4352-154-0x0000000000400000-0x00000000016A3000-memory.dmp
memory/4352-163-0x0000000000400000-0x00000000016A3000-memory.dmp