e550de2e92f39cb03db3b05e96a500331e50c723a0be4dd0cb93053fa43b159f

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe
Size

3.0MB
MD5

4047d899cd7f48438e06fed924889aec
SHA1

c0ff2227af683c4e5eae5f3f330eb437d503f975
SHA256

e550de2e92f39cb03db3b05e96a500331e50c723a0be4dd0cb93053fa43b159f
SHA512

13193a2feea18fabaa32effb5b22e37dc5589f4b7ec2a54334d6113d0b2a4fa49298a6db8b1512d5a5bbb373ce1740a3c0bfbb1f79c74f98f39680e3526fc05a
SSDEEP

49152:KepA3/f13KGXu5MjxRN9oSCgSiVTQfFfG:0/BDXuMjxRNvSitQfFfG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 15 IoCs

pid	Process
1988	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp
2608	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp
2704	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp
2660	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp
2776	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp
920	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp
2528	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2992	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2268	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2612	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2840	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2740	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
308	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
1084	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2944	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp

Loads dropped DLL 36 IoCs

pid	Process
2316	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe
2316	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe
1988	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp
1988	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp
2608	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp
2608	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp
2704	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp
2704	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp
2660	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp
2660	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp
2776	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp
2776	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp
920	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp
920	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp
2528	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2528	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2992	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2992	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2268	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2268	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2612	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2612	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2840	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2840	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2740	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2740	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
308	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
308	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
1084	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
824	2944	WerFault.exe	44

Suspicious use of SetWindowsHookEx 45 IoCs

pid	Process
2316	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe
2316	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe
1988	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp
1988	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp
2608	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp
2608	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp
2704	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp
2704	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp
2660	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp
2660	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp
2776	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp
2776	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp
920	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp
920	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp
2528	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2528	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2992	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2992	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2268	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2268	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2612	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2612	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2840	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2840	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2740	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2740	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
308	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
308	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
1084	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
1084	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2316	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe
1988	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp
2608	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp
2704	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp
2660	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp
2776	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp
920	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp
2528	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2992	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2268	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2612	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2840	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
2740	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
308	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
1084	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 1988	2316	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe	30
PID 2316 wrote to memory of 1988	2316	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe	30
PID 2316 wrote to memory of 1988	2316	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe	30
PID 2316 wrote to memory of 1988	2316	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe	30
PID 1988 wrote to memory of 2608	1988	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp	31
PID 1988 wrote to memory of 2608	1988	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp	31
PID 1988 wrote to memory of 2608	1988	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp	31
PID 1988 wrote to memory of 2608	1988	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp	31
PID 2608 wrote to memory of 2704	2608	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp	32
PID 2608 wrote to memory of 2704	2608	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp	32
PID 2608 wrote to memory of 2704	2608	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp	32
PID 2608 wrote to memory of 2704	2608	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp	32
PID 2704 wrote to memory of 2660	2704	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp	33
PID 2704 wrote to memory of 2660	2704	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp	33
PID 2704 wrote to memory of 2660	2704	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp	33
PID 2704 wrote to memory of 2660	2704	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp	33
PID 2660 wrote to memory of 2776	2660	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp	34
PID 2660 wrote to memory of 2776	2660	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp	34
PID 2660 wrote to memory of 2776	2660	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp	34
PID 2660 wrote to memory of 2776	2660	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp	34
PID 2776 wrote to memory of 920	2776	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp	35
PID 2776 wrote to memory of 920	2776	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp	35
PID 2776 wrote to memory of 920	2776	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp	35
PID 2776 wrote to memory of 920	2776	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp	35
PID 920 wrote to memory of 2528	920	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp	36
PID 920 wrote to memory of 2528	920	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp	36
PID 920 wrote to memory of 2528	920	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp	36
PID 920 wrote to memory of 2528	920	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp	36
PID 2528 wrote to memory of 2992	2528	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp	37
PID 2528 wrote to memory of 2992	2528	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp	37
PID 2528 wrote to memory of 2992	2528	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp	37
PID 2528 wrote to memory of 2992	2528	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp	37
PID 2992 wrote to memory of 2268	2992	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	38
PID 2992 wrote to memory of 2268	2992	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	38
PID 2992 wrote to memory of 2268	2992	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	38
PID 2992 wrote to memory of 2268	2992	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	38
PID 2268 wrote to memory of 2612	2268	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	39
PID 2268 wrote to memory of 2612	2268	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	39
PID 2268 wrote to memory of 2612	2268	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	39
PID 2268 wrote to memory of 2612	2268	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	39
PID 2612 wrote to memory of 2840	2612	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	40
PID 2612 wrote to memory of 2840	2612	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	40
PID 2612 wrote to memory of 2840	2612	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	40
PID 2612 wrote to memory of 2840	2612	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	40
PID 2840 wrote to memory of 2740	2840	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	41
PID 2840 wrote to memory of 2740	2840	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	41
PID 2840 wrote to memory of 2740	2840	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	41
PID 2840 wrote to memory of 2740	2840	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	41
PID 2740 wrote to memory of 308	2740	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	42
PID 2740 wrote to memory of 308	2740	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	42
PID 2740 wrote to memory of 308	2740	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	42
PID 2740 wrote to memory of 308	2740	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	42
PID 308 wrote to memory of 1084	308	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	43
PID 308 wrote to memory of 1084	308	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	43
PID 308 wrote to memory of 1084	308	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	43
PID 308 wrote to memory of 1084	308	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	43
PID 1084 wrote to memory of 2944	1084	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	44
PID 1084 wrote to memory of 2944	1084	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	44
PID 1084 wrote to memory of 2944	1084	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	44
PID 1084 wrote to memory of 2944	1084	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	44
PID 2944 wrote to memory of 824	2944	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	45
PID 2944 wrote to memory of 824	2944	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	45
PID 2944 wrote to memory of 824	2944	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	45
PID 2944 wrote to memory of 824	2944	4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp	45

C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp
  C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp
    C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp
      C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
        
        C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 192
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp

Filesize
2.9MB

MD5
98522b849312475d5ec30a4441910f85

SHA1
1847340aa414c47b807bc6d31236be2300572f54

SHA256
243e32a937db1302f384cf2a9b7d0f77ded8643799698656bd36b1214b91420b

SHA512
006f8d4bc3c01dbea4aea59ba732aa710f05d915766df3e7c3f620f4bbadee3c63b94403dfeddcb5ffb724de9de7fa018ce072d031d022b5146c9cbec0a1e2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp

Filesize
2.8MB

MD5
0eb7696b710623466344eae268202cf8

SHA1
b1e288acf6e29d8ed2e1e0da4b03076babedcbf1

SHA256
8e55eb478dd30d13118d3a8129e79b74282ba1f9d066541d79b23e6f759f45e5

SHA512
eada96280b84ad3a4585569df6a52f0788d3aba931bc70ff0c209d1ca90f996294d6668a822732c5cb6361fe8b6f5ef7d4aaa7d6967da419a105fe50bf946f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp

Filesize
2.7MB

MD5
6796ab373c3b501d26e896dee39b3f29

SHA1
dd564fc4606fbf56e43719132a724394926c990d

SHA256
28b2e828cfe70e84e0ff378867672d0f819449a0b4112e6d5e215f4d82de1d24

SHA512
fc568d51bcd83b266ec5c3c61fd1de809273c6c426426aec55711370147e17e2376562b1eb43a78959840bf3306f910030f62b3f638c5fe73145b1fef2812ed2

Download Submit
\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp

Filesize
3.0MB

MD5
5e9313f84934471c318a6c000badb2a2

SHA1
8f07b3f5037bbef6ad79cdcf2ba732c0a0e11933

SHA256
4b0f65816599384aa812c7b07ebee342f7aad783cc36ae29d1e7575f855e3048

SHA512
84edb311141fc3db70cbc61d45ed6adddc2c0f2da5a63ac114a3f5f0443fc3defd2eeeb4b29707af0982abc7b1b399d798c030f121862db784419244a8657e97

Download Submit
\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp

Filesize
2.9MB

MD5
3fea7101b57ff7cbc52fae175c9e9d26

SHA1
ad1cdf4d87cd37841e4280205fa3987e0332dd87

SHA256
77eccb787583e2ff37ac789ffe81aa2817f4f636cfab0f3825cabe515605f95f

SHA512
25f343819e9f74af838862d8bcbdce7834f0b8d164272f3009ad29de6c0764ea761c92e16775421bc90bb56581df7b5f75033dcbbc01048ad8446617bd35df1b

Download Submit
\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp

Filesize
2.9MB

MD5
eb32efb38b38a7b0de538dd82d25acbf

SHA1
abc65010a12913f5fbd36861b117dbb15f6c8cd0

SHA256
112aff486c1be5d8e761969a6ea18a4dad5a4b01bbec61c88f0b79042c78ca92

SHA512
c30c3591bc27ce77d07d2764fc8dc6844d2dc63c8b99f48ec5baf8f1289833cd32120b7792b07f04e7d159110dcb5c3cffd969f95d3b76fe77f61e701ddf0e12

Download Submit
\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp

Filesize
2.8MB

MD5
f819341279a49350ef54189bffa56bb0

SHA1
60a6b4c719494761c59a37f027b385e386d12ac5

SHA256
e02bad16966ed2db048a437c1143211f55bf3d89989cc465beea1329e524c9bd

SHA512
06ae8908245f39cc8d045552fea327423b738230e8955a5f2f41acad9b9b65f2ef17991fb80220e47ebdd0818b92d2e6ea4f0c21cbddd5bf8b0021ea3e058eca

Download Submit
\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp

Filesize
2.8MB

MD5
453ec4c58288d8a2877bb7978eafda75

SHA1
b8b744b9fa1d09345ffff23256845e7c3f4a6686

SHA256
19f5ba81a38cf5b981768af4045b41193c0deb8806b017e3390b910f7705b863

SHA512
a577a7d2caac9d46197f611735429b5efe8194d5b8ca7d8cee6175e8bd07b6b4faf3bd796b70980a886587e8feaa43865d37765f1eeb43181e50cf747f6c2347

Download Submit
\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp

Filesize
2.7MB

MD5
c8bf0669abf157361faa27e622783303

SHA1
a31f925256b5daf7a10e36b6c2bc8290ea01ed8b

SHA256
ea8ca80dc96eef80c6cf006f9ae3754211452438f3a3445e324b65cbe8880843

SHA512
4fb26566ed83feb05b17fda9768724b3a9194478bbc89345a4406e9b41629f6f47c2a8ad3c2f1de9e08a29eaf2c0cb759209f63bae401b8821dfc599acf9c2ec

Download Submit
\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp

Filesize
2.7MB

MD5
dd0b29622ce5e6cf2f5e19a34a048561

SHA1
61a16d84899427e1f99de163a187c05730b2511f

SHA256
feb1a84ee3deac4e81a413b875fd3e3679a8bdb661694ef6c7edfe96023125b2

SHA512
76faaac911ac90a799da9193f1ff1412e330b7b5157658ac399677dab02ef0f0a2ae7c08588c2cacff5ca100ef467d57ffc7eca057e6456097464c0de2b440c3

Download Submit
\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp

Filesize
2.7MB

MD5
d0975e9ccda4035f6aef38742a936403

SHA1
53d34f69c2c7c65856a30f54c6458b77a3e84ae1

SHA256
1ef97f24fb7891348075a04dc05e827746a5e72e6f3483702984054b4736d66b

SHA512
72306b51f7d29c411a90b6bd18047ba279c17b1c36ebe792a106db998280294017af54a47066746af38a3d1776fed29af4ac8e0df79830a229c99f0494f0c460

Download Submit
\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp

Filesize
2.6MB

MD5
80668976d8462adcf78d527c482daf62

SHA1
f1ab387e0db250dd286b759291f11c4616493540

SHA256
673651ea9620f9c98fe466453a055816639115118b6c375d7869d9d2e93cb840

SHA512
77d26adaf88b80e270aef92c2d5734f77a8fd653b1a4e332e5042cff9cbf4e70070a0507d9a771c7de1f42ea4bfacb333a156ca59197d7d3f5d61c51ec416ae3

Download Submit
\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp

Filesize
2.6MB

MD5
9b6eafb706b0d5d7f6458a08969fdc5c

SHA1
cf07f8ba46167b4a280658454436d0a119fe8650

SHA256
311f1283f3281c74d9fa43573c89b195e891304040521296355fff630b952ece

SHA512
8c74adb40247d7e62738c83a7baf0e348631f19f3f3653f68f441270f8b87a4b305995e6642b2125ccd304da4b2edfaf4e92b23a1ef84e1c7b9dde4143a07c56

Download Submit
\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp

Filesize
2.6MB

MD5
7c4e94399fed367f098ac2522232fe30

SHA1
22587b92e158eb72d221bcf39996e32d552a8b1e

SHA256
335e10ff9e88b11dc12c33d3092692c89514a06312e12c7f0b88c96f82fdc439

SHA512
1d6c20c758c84c08b864fe2f67279a8265a378eae295f7d0ad9c35300895f8154964a8cfbac10dfe7d4620118f8c66cf516950885b3ff5dbcc1373ff19cac5ac

Download Submit
\Users\Admin\AppData\Local\Temp\4047d899cd7f48438e06fed924889aec_JaffaCakes118.exe.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp.tmp

Filesize
2.5MB

MD5
d6596b87020da81c9196198671575848

SHA1
680cfcd52db19ad0ea3bcf065ff15843a49e850e

SHA256
e42feae0713e6960586b8125690289546b6fc43d2a69097fa51ff7d59aeeb19d

SHA512
ecb8f9ec36a514409dfef8e358e9a06513a1c6326e376bd1c5cb6223e81994c779c85ae4f666cc4decf2be43096df78f0d65f917d9e65397615d39bc942300a1

Download Submit
memory/2268-195-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads