njrat | 6b01e64b3574a313f2f8e1e42ce93b5444a3e99d66138aebddf7c3e3b81c601d

General

Target

194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Size

463KB
MD5

194961e6ef4f3310336d23d78cb7357c
SHA1

2f016cd2b88b716fad0b1352abda350aa567004f
SHA256

6b01e64b3574a313f2f8e1e42ce93b5444a3e99d66138aebddf7c3e3b81c601d
SHA512

517218b0fc5b530a32974f3eb34f78c533b86cade7965739084d2ddec001b0d3dd8e40d23397f471664e43677ac772befc490df10adfb91a231dd3e893f026d5
SSDEEP

6144:AnSbvnbjUwnkx1kcw3llt8ix50Ki1asiBKFABnyYwRXiO73knJxH4:A8DEkL8obnmi0kJ54

Score

10^/10

njrat zgrat agilenet persistence rat trojan

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4424-4-0x0000000005150000-0x0000000005170000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/4424-4-0x0000000005150000-0x0000000005170000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChrome.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe\" .."	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GoogleChrome.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe\" .."	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe

description	pid	process	target process
PID 4424 set thread context of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2056 set thread context of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 4492 set thread context of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3556 schtasks.exe
4236 schtasks.exe
1864 schtasks.exe
2088 schtasks.exe
3696 schtasks.exe
5044 schtasks.exe

pid	process
3556	schtasks.exe
4236	schtasks.exe
1864	schtasks.exe
2088	schtasks.exe
3696	schtasks.exe
5044	schtasks.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeDebugPrivilege	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeDebugPrivilege	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe

description	pid	process	target process
PID 4424 wrote to memory of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 4424 wrote to memory of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 4424 wrote to memory of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 4424 wrote to memory of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 4424 wrote to memory of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 4424 wrote to memory of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 4424 wrote to memory of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 4424 wrote to memory of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 4424 wrote to memory of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 3596 wrote to memory of 8	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 3596 wrote to memory of 8	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 3596 wrote to memory of 8	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 3596 wrote to memory of 4236	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 3596 wrote to memory of 4236	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 3596 wrote to memory of 4236	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 3596 wrote to memory of 2472	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 3596 wrote to memory of 2472	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 3596 wrote to memory of 2472	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 3596 wrote to memory of 1864	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 3596 wrote to memory of 1864	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 3596 wrote to memory of 1864	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 2056 wrote to memory of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2056 wrote to memory of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2056 wrote to memory of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2056 wrote to memory of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2056 wrote to memory of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2056 wrote to memory of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2056 wrote to memory of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2056 wrote to memory of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 2056 wrote to memory of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 1976 wrote to memory of 1520	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1976 wrote to memory of 1520	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1976 wrote to memory of 1520	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1976 wrote to memory of 2088	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1976 wrote to memory of 2088	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1976 wrote to memory of 2088	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1976 wrote to memory of 3180	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1976 wrote to memory of 3180	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1976 wrote to memory of 3180	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1976 wrote to memory of 3696	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1976 wrote to memory of 3696	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1976 wrote to memory of 3696	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 4492 wrote to memory of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 4492 wrote to memory of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 4492 wrote to memory of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 4492 wrote to memory of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 4492 wrote to memory of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 4492 wrote to memory of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 4492 wrote to memory of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 4492 wrote to memory of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 4492 wrote to memory of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
PID 1820 wrote to memory of 512	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1820 wrote to memory of 512	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1820 wrote to memory of 512	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1820 wrote to memory of 5044	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1820 wrote to memory of 5044	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1820 wrote to memory of 5044	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1820 wrote to memory of 664	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1820 wrote to memory of 664	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1820 wrote to memory of 664	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1820 wrote to memory of 3556	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1820 wrote to memory of 3556	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe
PID 1820 wrote to memory of 3556	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe"
2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
3⤵
PID:8

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe" /sc minute /mo 5
3⤵
- Creates scheduled task(s)
PID:4236

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:2472

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:1864

C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
3⤵
PID:1520

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe" /sc minute /mo 5
3⤵
- Creates scheduled task(s)
PID:2088

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:3180

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:3696

C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492

C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
3⤵
PID:512

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe" /sc minute /mo 5
3⤵
- Creates scheduled task(s)
PID:5044

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:664

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:3556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/3596-60-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-34-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-295-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3596-62-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-293-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3596-16-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-18-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-24-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-10-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-13-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3596-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-46-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-48-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-76-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-74-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-72-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-70-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-68-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-66-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-64-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-294-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3596-20-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-52-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-56-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-54-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-58-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-50-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4424-2-0x0000000005700000-0x0000000005CA4000-memory.dmp

Filesize
5.6MB

Download
memory/4424-14-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4424-1-0x0000000000720000-0x0000000000798000-memory.dmp

Filesize
480KB

Download
memory/4424-9-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4424-8-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/4424-0-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/4424-7-0x0000000006350000-0x00000000063EC000-memory.dmp

Filesize
624KB

Download
memory/4424-6-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4424-5-0x00000000051E0000-0x00000000051EA000-memory.dmp

Filesize
40KB

Download
memory/4424-4-0x0000000005150000-0x0000000005170000-memory.dmp

Filesize
128KB

Download
memory/4424-3-0x00000000051F0000-0x0000000005282000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads