njrat | 6b01e64b3574a313f2f8e1e42ce93b5444a3e99d66138aebddf7c3e3b81c601d

General

Target

194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Size

463KB
MD5

194961e6ef4f3310336d23d78cb7357c
SHA1

2f016cd2b88b716fad0b1352abda350aa567004f
SHA256

6b01e64b3574a313f2f8e1e42ce93b5444a3e99d66138aebddf7c3e3b81c601d
SHA512

517218b0fc5b530a32974f3eb34f78c533b86cade7965739084d2ddec001b0d3dd8e40d23397f471664e43677ac772befc490df10adfb91a231dd3e893f026d5
SSDEEP

6144:AnSbvnbjUwnkx1kcw3llt8ix50Ki1asiBKFABnyYwRXiO73knJxH4:A8DEkL8obnmi0kJ54

Score

10^/10

njrat zgrat agilenet persistence rat trojan

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2340-2-0x0000000000470000-0x0000000000490000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2340-2-0x0000000000470000-0x0000000000490000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChrome.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe\" .."	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GoogleChrome.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe\" .."	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe

description	pid	process	target process
PID 2340 set thread context of 1744	2340	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 996 set thread context of 2476	996	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2568 set thread context of 2560	2568	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

908 schtasks.exe
2864 schtasks.exe
2108 schtasks.exe
356 schtasks.exe
2692 schtasks.exe
1148 schtasks.exe

pid	process
908	schtasks.exe
2864	schtasks.exe
2108	schtasks.exe
356	schtasks.exe
2692	schtasks.exe
1148	schtasks.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2340	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeDebugPrivilege	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeDebugPrivilege	996	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeDebugPrivilege	2568	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exetaskeng.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe

description	pid	process	target process
PID 2340 wrote to memory of 1744	2340	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2340 wrote to memory of 1744	2340	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2340 wrote to memory of 1744	2340	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2340 wrote to memory of 1744	2340	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2340 wrote to memory of 1744	2340	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2340 wrote to memory of 1744	2340	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2340 wrote to memory of 1744	2340	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2340 wrote to memory of 1744	2340	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2340 wrote to memory of 1744	2340	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2340 wrote to memory of 1744	2340	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 1744 wrote to memory of 1880	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1744 wrote to memory of 1880	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1744 wrote to memory of 1880	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1744 wrote to memory of 1880	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1744 wrote to memory of 908	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1744 wrote to memory of 908	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1744 wrote to memory of 908	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1744 wrote to memory of 908	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1744 wrote to memory of 404	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1744 wrote to memory of 404	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1744 wrote to memory of 404	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1744 wrote to memory of 404	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1744 wrote to memory of 2864	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1744 wrote to memory of 2864	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1744 wrote to memory of 2864	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1744 wrote to memory of 2864	1744	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 2172 wrote to memory of 996	2172	taskeng.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2172 wrote to memory of 996	2172	taskeng.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2172 wrote to memory of 996	2172	taskeng.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2172 wrote to memory of 996	2172	taskeng.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 996 wrote to memory of 2476	996	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 996 wrote to memory of 2476	996	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 996 wrote to memory of 2476	996	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 996 wrote to memory of 2476	996	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 996 wrote to memory of 2476	996	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 996 wrote to memory of 2476	996	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 996 wrote to memory of 2476	996	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 996 wrote to memory of 2476	996	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 996 wrote to memory of 2476	996	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 996 wrote to memory of 2476	996	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2476 wrote to memory of 1072	2476	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 2476 wrote to memory of 1072	2476	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 2476 wrote to memory of 1072	2476	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 2476 wrote to memory of 1072	2476	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 2476 wrote to memory of 2108	2476	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 2476 wrote to memory of 2108	2476	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 2476 wrote to memory of 2108	2476	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 2476 wrote to memory of 2108	2476	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 2476 wrote to memory of 796	2476	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 2476 wrote to memory of 796	2476	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 2476 wrote to memory of 796	2476	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 2476 wrote to memory of 796	2476	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 2476 wrote to memory of 356	2476	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 2476 wrote to memory of 356	2476	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 2476 wrote to memory of 356	2476	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 2476 wrote to memory of 356	2476	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 2172 wrote to memory of 2568	2172	taskeng.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2172 wrote to memory of 2568	2172	taskeng.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2172 wrote to memory of 2568	2172	taskeng.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2172 wrote to memory of 2568	2172	taskeng.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2568 wrote to memory of 2560	2568	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2568 wrote to memory of 2560	2568	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2568 wrote to memory of 2560	2568	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2568 wrote to memory of 2560	2568	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe"
2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
3⤵
PID:1880

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe" /sc minute /mo 5
3⤵
- Creates scheduled task(s)
PID:908

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:404

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\taskeng.exe
taskeng.exe {93D5B0CF-80D6-4E11-A275-033C72A393F4} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2172

C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996

C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
4⤵
PID:1072

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe" /sc minute /mo 5
4⤵
- Creates scheduled task(s)
PID:2108

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
4⤵
PID:796

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe" /sc minute /mo 1
4⤵
- Creates scheduled task(s)
PID:356

C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568

C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe"
3⤵
PID:2560

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
4⤵
PID:1668

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe" /sc minute /mo 5
4⤵
- Creates scheduled task(s)
PID:2692

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
4⤵
PID:1660

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe" /sc minute /mo 1
4⤵
- Creates scheduled task(s)
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1744-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-62-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-293-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/1744-46-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-292-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/1744-291-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/1744-6-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-10-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-12-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/1744-50-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-20-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-14-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-68-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-64-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-60-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-58-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-56-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-54-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-52-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-16-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-18-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-34-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-33-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-70-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-66-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-24-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-48-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2340-1-0x0000000000D10000-0x0000000000D88000-memory.dmp

Filesize
480KB

Download
memory/2340-3-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2340-11-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2340-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/2340-5-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2340-4-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/2340-2-0x0000000000470000-0x0000000000490000-memory.dmp

Filesize
128KB

Download
memory/2476-303-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads