8cd1b8dbc81743bdb16ccf836273f582bcc93f8183494b3cabefe18fd340e0da

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0474165119c989c50e9508659a9f8363_JaffaCakes118.exe
Size

184KB
MD5

0474165119c989c50e9508659a9f8363
SHA1

b43a1847cb7d780115573cc78555ccc17a23c780
SHA256

8cd1b8dbc81743bdb16ccf836273f582bcc93f8183494b3cabefe18fd340e0da
SHA512

7045c51b47935824714dbd31faffad8635a8bc35d49b6c0adef5a49f56ffbf82177c0204ae3a8b3c7328f2a15defcb3e1569efe0773004854df4cf704ae75c45
SSDEEP

3072:qzXbgj5jPFlRbOhIVa5IF49EFTcNH8Yf/BBEt6ymy+aeC7q:UXbwzFlRaOFw7NcYnBO6xt4

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 24 IoCs

pid	Process
4572	windowsalert.exe
4468	windowsalert.exe
4380	windowsalert.exe
2464	windowsalert.exe
3004	windowsalert.exe
5068	windowsalert.exe
2032	windowsalert.exe
4980	windowsalert.exe
1612	windowsalert.exe
2368	windowsalert.exe
3020	windowsalert.exe
2484	windowsalert.exe
2412	windowsalert.exe
1144	windowsalert.exe
2476	windowsalert.exe
3776	windowsalert.exe
1640	windowsalert.exe
3968	windowsalert.exe
3928	windowsalert.exe
4172	windowsalert.exe
884	windowsalert.exe
3076	windowsalert.exe
3692	windowsalert.exe
1576	windowsalert.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2284-0-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/files/0x0007000000023438-4.dat	upx
behavioral2/memory/2284-7-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/4572-10-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/4380-12-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/4468-14-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/2464-16-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/4380-17-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/3004-19-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/2464-20-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/3004-22-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/5068-24-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/2032-26-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/4980-28-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/1612-30-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/2368-32-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/3020-34-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/2484-36-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/2412-38-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/2476-40-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/1144-41-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/2476-44-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/3776-46-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/1640-48-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/3968-50-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/3928-52-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/4172-54-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/884-56-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/3076-58-0x0000000000400000-0x000000000047E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe

Drops file in System32 directory 26 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\windowsalert.exe	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 4572	2284	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe	88
PID 2284 wrote to memory of 4572	2284	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe	88
PID 2284 wrote to memory of 4572	2284	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe	88
PID 4572 wrote to memory of 4468	4572	windowsalert.exe	92
PID 4572 wrote to memory of 4468	4572	windowsalert.exe	92
PID 4572 wrote to memory of 4468	4572	windowsalert.exe	92
PID 4468 wrote to memory of 4380	4468	windowsalert.exe	93
PID 4468 wrote to memory of 4380	4468	windowsalert.exe	93
PID 4468 wrote to memory of 4380	4468	windowsalert.exe	93
PID 4380 wrote to memory of 2464	4380	windowsalert.exe	94
PID 4380 wrote to memory of 2464	4380	windowsalert.exe	94
PID 4380 wrote to memory of 2464	4380	windowsalert.exe	94
PID 2464 wrote to memory of 3004	2464	windowsalert.exe	96
PID 2464 wrote to memory of 3004	2464	windowsalert.exe	96
PID 2464 wrote to memory of 3004	2464	windowsalert.exe	96
PID 3004 wrote to memory of 5068	3004	windowsalert.exe	98
PID 3004 wrote to memory of 5068	3004	windowsalert.exe	98
PID 3004 wrote to memory of 5068	3004	windowsalert.exe	98
PID 5068 wrote to memory of 2032	5068	windowsalert.exe	99
PID 5068 wrote to memory of 2032	5068	windowsalert.exe	99
PID 5068 wrote to memory of 2032	5068	windowsalert.exe	99
PID 2032 wrote to memory of 4980	2032	windowsalert.exe	100
PID 2032 wrote to memory of 4980	2032	windowsalert.exe	100
PID 2032 wrote to memory of 4980	2032	windowsalert.exe	100
PID 4980 wrote to memory of 1612	4980	windowsalert.exe	101
PID 4980 wrote to memory of 1612	4980	windowsalert.exe	101
PID 4980 wrote to memory of 1612	4980	windowsalert.exe	101
PID 1612 wrote to memory of 2368	1612	windowsalert.exe	102
PID 1612 wrote to memory of 2368	1612	windowsalert.exe	102
PID 1612 wrote to memory of 2368	1612	windowsalert.exe	102
PID 2368 wrote to memory of 3020	2368	windowsalert.exe	103
PID 2368 wrote to memory of 3020	2368	windowsalert.exe	103
PID 2368 wrote to memory of 3020	2368	windowsalert.exe	103
PID 3020 wrote to memory of 2484	3020	windowsalert.exe	104
PID 3020 wrote to memory of 2484	3020	windowsalert.exe	104
PID 3020 wrote to memory of 2484	3020	windowsalert.exe	104
PID 2484 wrote to memory of 2412	2484	windowsalert.exe	105
PID 2484 wrote to memory of 2412	2484	windowsalert.exe	105
PID 2484 wrote to memory of 2412	2484	windowsalert.exe	105
PID 2412 wrote to memory of 1144	2412	windowsalert.exe	106
PID 2412 wrote to memory of 1144	2412	windowsalert.exe	106
PID 2412 wrote to memory of 1144	2412	windowsalert.exe	106
PID 1144 wrote to memory of 2476	1144	windowsalert.exe	107
PID 1144 wrote to memory of 2476	1144	windowsalert.exe	107
PID 1144 wrote to memory of 2476	1144	windowsalert.exe	107
PID 2476 wrote to memory of 3776	2476	windowsalert.exe	108
PID 2476 wrote to memory of 3776	2476	windowsalert.exe	108
PID 2476 wrote to memory of 3776	2476	windowsalert.exe	108
PID 3776 wrote to memory of 1640	3776	windowsalert.exe	109
PID 3776 wrote to memory of 1640	3776	windowsalert.exe	109
PID 3776 wrote to memory of 1640	3776	windowsalert.exe	109
PID 1640 wrote to memory of 3968	1640	windowsalert.exe	110
PID 1640 wrote to memory of 3968	1640	windowsalert.exe	110
PID 1640 wrote to memory of 3968	1640	windowsalert.exe	110
PID 3968 wrote to memory of 3928	3968	windowsalert.exe	111
PID 3968 wrote to memory of 3928	3968	windowsalert.exe	111
PID 3968 wrote to memory of 3928	3968	windowsalert.exe	111
PID 3928 wrote to memory of 4172	3928	windowsalert.exe	112
PID 3928 wrote to memory of 4172	3928	windowsalert.exe	112
PID 3928 wrote to memory of 4172	3928	windowsalert.exe	112
PID 4172 wrote to memory of 884	4172	windowsalert.exe	113
PID 4172 wrote to memory of 884	4172	windowsalert.exe	113
PID 4172 wrote to memory of 884	4172	windowsalert.exe	113
PID 884 wrote to memory of 3076	884	windowsalert.exe	114

C:\Users\Admin\AppData\Local\Temp\0474165119c989c50e9508659a9f8363_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0474165119c989c50e9508659a9f8363_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2284
- C:\WINDOWS\SysWOW64\windowsalert.exe
  C:\WINDOWS\system32\windowsalert.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\WINDOWS\SysWOW64\windowsalert.exe
    C:\WINDOWS\system32\windowsalert.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\WINDOWS\SysWOW64\windowsalert.exe
      C:\WINDOWS\system32\windowsalert.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4380
    - - C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2464
      - C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3076
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3692
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\windowsalert.exe

Filesize
184KB

MD5
0474165119c989c50e9508659a9f8363

SHA1
b43a1847cb7d780115573cc78555ccc17a23c780

SHA256
8cd1b8dbc81743bdb16ccf836273f582bcc93f8183494b3cabefe18fd340e0da

SHA512
7045c51b47935824714dbd31faffad8635a8bc35d49b6c0adef5a49f56ffbf82177c0204ae3a8b3c7328f2a15defcb3e1569efe0773004854df4cf704ae75c45

Download Submit
memory/884-56-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1144-41-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1612-30-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1640-48-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2032-26-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2284-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2284-1-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2284-7-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2368-32-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2412-38-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2464-16-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2464-20-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2476-44-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2476-40-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2484-36-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3004-19-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3004-22-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3020-34-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3076-58-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3776-46-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3928-52-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3968-50-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4172-54-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4380-17-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4380-13-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4380-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4468-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4468-9-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/4572-10-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4572-6-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/4980-28-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5068-24-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads