d46d599d0e3c35af86e70d0b9d0633fe735def84ac997637862069d61a08e667

Analysis

max time kernel
131s
max time network
131s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
04/04/2024, 21:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Size

1.2MB
MD5

c31df3d8b2b8f9368e7957d0033af4e1
SHA1

ca78c2b18414a92a2303e34d35f8d03bec4fbc61
SHA256

d46d599d0e3c35af86e70d0b9d0633fe735def84ac997637862069d61a08e667
SHA512

2c3f40743c6f5b86fc4d0330bedc676a84c236721a230b06d6dd71d492a1e867f076bea1134a7e68d0d78fda477d5c4a6a366f906fb0e31e746dcc8be9e384f3
SSDEEP

24576:8uPmLDUMihIXCE58ow3HAr8KXIE5rbc918VQAPM1mFJ:8u+LIIX7Rw3HAr8KXIE9bc917AeQJ

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2924	Isass.exe
2508	Isass.exe
2684	Isass.exe
2692	Isass.exe
2452	Isass.exe
2588	Isass.exe
2436	Isass.exe
2184	Isass.exe
2624	Isass.exe
2776	Isass.exe
2224	Isass.exe
1624	Isass.exe
2240	Isass.exe
2484	Isass.exe
1400	Isass.exe
2512	Isass.exe
2268	Isass.exe
2844	Isass.exe
2284	Isass.exe
824	Isass.exe
2040	Isass.exe
3016	Isass.exe

Loads dropped DLL 24 IoCs

pid	Process
2876	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2876	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2876	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2876	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2656	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2556	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2604	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2788	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2416	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2360	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
796	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2744	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
1664	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2212	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
1876	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2516	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
1644	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
1164	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2880	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
272	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
1340	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
1524	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2164	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2372	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2924	Isass.exe
2508	Isass.exe
2508	Isass.exe
2508	Isass.exe
2656	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2684	Isass.exe
2684	Isass.exe
2684	Isass.exe
2556	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2692	Isass.exe
2692	Isass.exe
2692	Isass.exe
2604	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2452	Isass.exe
2452	Isass.exe
2452	Isass.exe
2788	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2588	Isass.exe
2588	Isass.exe
2588	Isass.exe
2416	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2436	Isass.exe
2436	Isass.exe
2436	Isass.exe
2360	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2184	Isass.exe
2184	Isass.exe
2184	Isass.exe
796	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2624	Isass.exe
2624	Isass.exe
2624	Isass.exe
2744	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2776	Isass.exe
2776	Isass.exe
2776	Isass.exe
1664	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2224	Isass.exe
2224	Isass.exe
2224	Isass.exe
2212	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
1624	Isass.exe
1624	Isass.exe
1624	Isass.exe
1876	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2240	Isass.exe
2240	Isass.exe
2240	Isass.exe
2516	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2484	Isass.exe
2484	Isass.exe
2484	Isass.exe
1644	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
1400	Isass.exe
1400	Isass.exe
1400	Isass.exe
1164	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2512	Isass.exe
2512	Isass.exe
2512	Isass.exe
2880	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2268	Isass.exe
2268	Isass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2924	2876	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	28
PID 2876 wrote to memory of 2924	2876	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	28
PID 2876 wrote to memory of 2924	2876	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	28
PID 2876 wrote to memory of 2924	2876	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	28
PID 2876 wrote to memory of 2508	2876	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	29
PID 2876 wrote to memory of 2508	2876	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	29
PID 2876 wrote to memory of 2508	2876	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	29
PID 2876 wrote to memory of 2508	2876	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	29
PID 2508 wrote to memory of 2656	2508	Isass.exe	30
PID 2508 wrote to memory of 2656	2508	Isass.exe	30
PID 2508 wrote to memory of 2656	2508	Isass.exe	30
PID 2508 wrote to memory of 2656	2508	Isass.exe	30
PID 2656 wrote to memory of 2684	2656	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	31
PID 2656 wrote to memory of 2684	2656	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	31
PID 2656 wrote to memory of 2684	2656	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	31
PID 2656 wrote to memory of 2684	2656	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2556	2684	Isass.exe	32
PID 2684 wrote to memory of 2556	2684	Isass.exe	32
PID 2684 wrote to memory of 2556	2684	Isass.exe	32
PID 2684 wrote to memory of 2556	2684	Isass.exe	32
PID 2556 wrote to memory of 2692	2556	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2692	2556	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2692	2556	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2692	2556	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	33
PID 2692 wrote to memory of 2604	2692	Isass.exe	34
PID 2692 wrote to memory of 2604	2692	Isass.exe	34
PID 2692 wrote to memory of 2604	2692	Isass.exe	34
PID 2692 wrote to memory of 2604	2692	Isass.exe	34
PID 2604 wrote to memory of 2452	2604	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	35
PID 2604 wrote to memory of 2452	2604	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	35
PID 2604 wrote to memory of 2452	2604	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	35
PID 2604 wrote to memory of 2452	2604	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	35
PID 2452 wrote to memory of 2788	2452	Isass.exe	36
PID 2452 wrote to memory of 2788	2452	Isass.exe	36
PID 2452 wrote to memory of 2788	2452	Isass.exe	36
PID 2452 wrote to memory of 2788	2452	Isass.exe	36
PID 2788 wrote to memory of 2588	2788	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	37
PID 2788 wrote to memory of 2588	2788	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	37
PID 2788 wrote to memory of 2588	2788	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	37
PID 2788 wrote to memory of 2588	2788	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	37
PID 2588 wrote to memory of 2416	2588	Isass.exe	38
PID 2588 wrote to memory of 2416	2588	Isass.exe	38
PID 2588 wrote to memory of 2416	2588	Isass.exe	38
PID 2588 wrote to memory of 2416	2588	Isass.exe	38
PID 2416 wrote to memory of 2436	2416	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	39
PID 2416 wrote to memory of 2436	2416	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	39
PID 2416 wrote to memory of 2436	2416	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	39
PID 2416 wrote to memory of 2436	2416	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	39
PID 2436 wrote to memory of 2360	2436	Isass.exe	40
PID 2436 wrote to memory of 2360	2436	Isass.exe	40
PID 2436 wrote to memory of 2360	2436	Isass.exe	40
PID 2436 wrote to memory of 2360	2436	Isass.exe	40
PID 2360 wrote to memory of 2184	2360	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	41
PID 2360 wrote to memory of 2184	2360	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	41
PID 2360 wrote to memory of 2184	2360	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	41
PID 2360 wrote to memory of 2184	2360	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	41
PID 2184 wrote to memory of 796	2184	Isass.exe	42
PID 2184 wrote to memory of 796	2184	Isass.exe	42
PID 2184 wrote to memory of 796	2184	Isass.exe	42
PID 2184 wrote to memory of 796	2184	Isass.exe	42
PID 796 wrote to memory of 2624	796	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	43
PID 796 wrote to memory of 2624	796	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	43
PID 796 wrote to memory of 2624	796	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	43
PID 796 wrote to memory of 2624	796	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	43

C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2924
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        5⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        7⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        9⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        11⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        13⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        15⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        17⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2744
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        19⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1664
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        21⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2212
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        23⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1876
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        25⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2516
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        27⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1644
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        29⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1164
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        30⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        31⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2880
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        32⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        33⤵
        Loads dropped DLL
        
        PID:272
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        34⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        35⤵
        Loads dropped DLL
        
        PID:1340
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        36⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        37⤵
        Loads dropped DLL
        
        PID:1524
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        38⤵
        Executes dropped EXE
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        39⤵
        Loads dropped DLL
        
        PID:2164
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        40⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        41⤵
        Loads dropped DLL
        
        PID:2372
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        42⤵
        Executes dropped EXE
        
        PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe

Filesize
524KB

MD5
25833df880df030d5ef536273d1eb341

SHA1
43e86ae135fe5456287fa71712a1e27867b02193

SHA256
081dc59cc46bb97d20568013ae6007be41b9c1e8ff7e8327ea91e0edca32f862

SHA512
ae2efa715fa92cd280cad38194cf4fe8f50481b97cbcd8c89f0e56db5ecd7726bcd2e7e57c73c9473e05fc12059d21ec56737747452019b18e3a3f9d8c402e09

Download Submit
\Users\Public\Microsoft Build\Isass.exe

Filesize
624KB

MD5
1dd29920d53ec6d8215c9668a90d0a34

SHA1
cc2c4a1abeeab01b3eaf201d66cc0f86b48acfcb

SHA256
62b51132132d1aa915e4b1fea6073a49a10560fbd9bf78aabd740dd20f5bd7ac

SHA512
c99ebe656d200c8cc55b31995ec74a1a482c21a7c7c6b5b90ae782d247e9ca858d9e79227e8882beb5a766eed78f75ce41025a119ed2172c08f77fed8ad3c124

Download Submit
memory/272-79-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/796-41-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/824-95-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/1164-71-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/1340-83-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/1400-69-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/1524-90-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/1624-57-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/1644-67-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/1664-49-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/1876-59-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2040-99-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2164-97-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2184-39-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2212-53-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2224-51-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2240-61-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2268-77-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2284-85-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2360-37-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2372-102-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2416-33-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2436-35-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2452-27-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2484-65-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2508-15-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2512-73-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2516-63-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2556-21-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2588-31-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2604-26-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2624-43-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2656-18-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2684-19-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2692-23-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2744-45-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2776-47-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2788-29-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2844-81-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2876-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2876-13-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2880-75-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2924-9-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/3016-106-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download