939599e255f0c6092afd1b747b0b8d4734ab1218be51708c395151f69da19e39

General

Target

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Size

141KB
MD5

f6ba36edaf3b699b3656fb94131d06da
SHA1

9dc88694e0f4be51cc4c6b435349f3939e6b0a47
SHA256

939599e255f0c6092afd1b747b0b8d4734ab1218be51708c395151f69da19e39
SHA512

c70e3cba46c8d75db05db5d4b8461ce7d3d1087d56ac635f856a9b26f85152ba465653944acb7bfe87edb5b978fc45d9c462c2f61461e4efe36e9f607fb0b6b6
SSDEEP

3072:K5yJGaBDcKFP/QCtxydMKNWUWFisaGJC:K59aBwC/QrAfaGw

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

description ioc process

File created C:\Windows\SysWOW64\ntdll.dll.dll f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

Drops file in Program Files directory 15 IoCs

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\System\msadc\es-ES\operativomsdaremr.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\MicrosoftSystem.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\pdf417pmpqrcodepmp3.6.18220.0.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EscriptSignature19.10.20064.310990.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BSAFEicudt58.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\ExcelOffice.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\VisualStudioOffice10.0.60828.0.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPluginAdobeHunspellPlugin23309.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\Windowschromeelf.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAdobe19.8.20071.303822.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\ExcelOffice.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\RuntimeVisualStudio10.0.60828.0.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\Updaterjucheck.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\DynamicLibrary.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAcrobat.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..ment-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_79f9738d9cc31c46\SistemaMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..dateclient-api-host_31bf3856ad364e35_10.0.19041.1266_none_149b57f8509ce672\Microsoftwuapihost.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..sh-helper.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_46104edddbb8d5c1\dexploitationMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cttune.resources_31bf3856ad364e35_10.0.19041.1_en-us_ea4e68a86d9ee75f\OperatingCtTune.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\en-US\WindowsMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..tshow-kernelsupport_31bf3856ad364e35_10.0.19041.1_none_a84754326b0a8d07\SystemOperating.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting.resources\v4.0_4.0.0.0_es_b77a5c561934e089\MicrosoftSystem.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ed-chinese-moimeexe_31bf3856ad364e35_10.0.19041.746_none_c3054a007d804943\OperatingSystem.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_volmgr.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_53166dfec829396a\Microsoftvolmgrinf.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\Boot\PCAT\lv-LV\bootmgrbootmgr.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_fr_31bf3856ad364e35\MicrosoftPowerShell.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_security-octagon-broker_31bf3856ad364e35_10.0.19041.84_none_51ae5c25baf813ff\MicrosoftWindows10.0.19041.1.160101.0800.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_system.data.services.resources_b77a5c561934e089_10.0.19041.1_de-de_17a2335d17932b86\Systemresources.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\GAC\it\StudioVisual8.0.50727.9149.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wlan-dialog.resources_31bf3856ad364e35_10.0.19041.1_de-de_8ff8973510904328\MicrosoftWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..gement-dmwappushsvc_31bf3856ad364e35_10.0.19041.1_none_05a0fa60217a6408\Microsoftdmwappushsvc.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_10.0.19041.1_zh-tw_9fb6581b96beecdb\OperatingWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..qos-pacer.resources_31bf3856ad364e35_10.0.19041.1_de-de_f84b7fc1c4277fe7\Windowspacer.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..cognition.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_c2a01f5e82dc8070\WindowsmshwLatin.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-twinapi.resources_31bf3856ad364e35_10.0.19041.1_it-it_2cc3ddee2162e1c2\Microsofttwinapi.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-r..-postboot.resources_31bf3856ad364e35_10.0.19041.1_en-us_1c78c41be099b2bf\SystemWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-00000437_31bf3856ad364e35_10.0.19041.1_none_aa30c2dd36406a0d\kbdgeokbdgeo10.0.19041.1.160101.0800.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_windows-defender-branding.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0ec1256b9bb58a09\SystmeMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpanel.resources_31bf3856ad364e35_10.0.19041.1_it-it_3fb0d0110669851d\operativoWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MUI\0409\Frameworkmscorsecr.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-l..skcleanup.resources_31bf3856ad364e35_10.0.19041.1_de-de_fde77c3a27df035b\LanguagePackDiskCleanupBetriebssystem10.0.19041.1.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..s-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_0684b70ba395782e\SystemWpnService10.0.19041.1.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..vider-dll.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0a2d27148b3d117a\OperatingWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-twinapi-appcore_31bf3856ad364e35_10.0.19041.964_none_917daa321cc2afb4\twinapiOperating10.0.19041.964.160101.0800.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_netfx4-servicemodelregui_dll_b03f5f7f11d50a3a_4.0.15805.0_none_1daab57c59f46826\ServiceModelRegUIMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-setupcl.resources_31bf3856ad364e35_10.0.19041.1_es-es_500b4bb9867c5c91\Sistemaoperativo.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources\v4.0_4.0.0.0_de_b77a5c561934e089\resourcesFramework.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_system.linq.expressions_b03f5f7f11d50a3a_4.0.15805.0_none_ffa9eac3cbedd1b5\LinqMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..scheduled.resources_31bf3856ad364e35_10.0.19041.1_de-de_8a23f5aac7f56dee\Betriebssystemsdiagschd10.0.19041.1.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mapi_31bf3856ad364e35_10.0.19041.423_none_93adcfb5ace23a89\WindowsMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.1_none_b0b2b0b01128fbbb\WindowsSystem.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..necoreuap.resources_31bf3856ad364e35_10.0.19041.1_de-de_3e33e4d97cf94f6d\WindowsBetriebssystem.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_pmem.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_46ef3fd22a6e3e7d\MicrosoftWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-cmisetup_31bf3856ad364e35_10.0.19041.964_none_02ea5f3feb92375e\SystemWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rasgetconnectedwizard_31bf3856ad364e35_10.0.19041.867_none_17f88bb52b16a93d\SystemMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..inspector.resources_31bf3856ad364e35_10.0.19041.1_de-de_295fad7d91e86112\BetriebssystemMicrosoft10.0.19041.1.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.19041.1_et-ee_b6275e3f810fe89f\MicrosoftCOMCTL32.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-setupcl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f2c2c1b8794e72f3\SystmeMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\Boot\EFI\bg-BG\bootmgrbootmgr.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_es-es_81fee3c06ca876bd\netcfgxnetiougc.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_windows-id-connecte..nt-provider-wlidsvc_31bf3856ad364e35_10.0.19041.1_none_54400c205a77620c\WlidsvcWlidsvc10.0.19041.1.160101.0800.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..mplatform.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8174ebc03ded7c58\ndisimplatwmiWindows10.0.19041.1.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-secedit_31bf3856ad364e35_10.0.19041.1_none_64d83b9e511c141f\SystemOperating.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft.windows.dsc.dsctimer.resources_31bf3856ad364e35_10.0.19041.1_it-it_6dd84c5992ed08ea\operativoMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpanel.resources_31bf3856ad364e35_10.0.19041.1_es-es_b2d163cb3c65893d\Windowsoperativo10.0.19041.1.160101.0800.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_miguicontrols_31bf3856ad364e35_10.0.19041.488_none_2ffa4308e32b9199\SystemOperating10.0.19041.488.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_wcf-system.io.log_b03f5f7f11d50a3a_10.0.19041.1_none_53a8fc4537a1e27f\FrameworkMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sensors-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_5e24f9054e519d93\SystemSensorService.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\NativeImages\mscorlibSystem.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.19041.1_it-it_c76e6c1f200e32be\flattempflattemp.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..utilities.resources_31bf3856ad364e35_10.0.19041.1_en-us_395b84a76fe0a3b4\WindowsWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..setupstatusprovider_31bf3856ad364e35_10.0.19041.1_none_457308751e7c5eb2\SystemWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..lays-classextension_31bf3856ad364e35_10.0.19041.546_none_530994f7cfc6a3c2\MicrosoftOperating.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..-mscandui.resources_31bf3856ad364e35_10.0.19041.1_en-us_d196908189d8c678\SystemWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ngc-tasks.resources_31bf3856ad364e35_10.0.19041.1_it-it_b155b4ab8385be13\operativoMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-opengl.resources_31bf3856ad364e35_10.0.19041.1_es-es_5503eb74745e685e\operativoWindows10.0.19041.1.160101.0800.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winsrv.resources_31bf3856ad364e35_10.0.19041.1_it-it_8065166e6df46cac\winsrvMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-k..container.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0d958749c7907690\Microsoftdexploitation.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\System.ServiceProcess.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\resourcesresources.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

pid	process
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
4004	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\RuntimeVisualStudio10.0.60828.0.exe

Filesize
141KB

MD5
f6ba36edaf3b699b3656fb94131d06da

SHA1
9dc88694e0f4be51cc4c6b435349f3939e6b0a47

SHA256
939599e255f0c6092afd1b747b0b8d4734ab1218be51708c395151f69da19e39

SHA512
c70e3cba46c8d75db05db5d4b8461ce7d3d1087d56ac635f856a9b26f85152ba465653944acb7bfe87edb5b978fc45d9c462c2f61461e4efe36e9f607fb0b6b6

Download Submit
memory/4004-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4004-4-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4004-75-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads