c5d161943588300c4677255d50aeacd9d6552d2d5d4f7a4202630f04abc7090b

Analysis

max time kernel
145s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 07:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
Size

159KB
MD5

4d500517676b12e48615e886b1241fb1
SHA1

55bf3d261a9ad015212d61c06aa30dfba9903156
SHA256

c5d161943588300c4677255d50aeacd9d6552d2d5d4f7a4202630f04abc7090b
SHA512

120e76154aa9c22603e47d004e5bfeebe63dc1de35094b703659b6b849e43e5ddf0dea2c9b6c1d3c4b5eb57621a29d67122a325f51fb6788f449184393d91285
SSDEEP

3072:ez2CY1htTsv1vhxkuHMfZ81A1/emx5yb3pv3gpvuEcK3krZUz5L+B:4Y1htTs9vjMfZ81eQ3lg9ulKcZUzM

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicrosoftInstaller41 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe"	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\miniinstallerOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe"	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en\WindowsOperating.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\NPPDF32Adobe19.10.20064.310990.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\ManagerAcrobat.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\Libraryprcr19.8.20071.303822.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\WebInstallerwidevinecdmadapterdll.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\WordpadFilterMicrosoft.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\MicrosoftPresentation.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\DAO360Microsoft.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\InkObjTipTsf10.0.19041.1.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\NPPDF32Adobe19.10.20064.310990.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeScCoreUtilities.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32rOperating.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\AcrobatAdobe.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AcrobatAiod.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\MicrosoftEdge92.0.902.67.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\Systmedexploitation.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\ado\it-IT\Microsoftmsader15.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipResWindows10.0.19041.1.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\es-ES\operativoWindows10.0.19041.1.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPluginAdobeHunspellPlugin.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAiod19.8.20071.303822.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\MicrosoftEdge92.0.902.67.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\MicrosoftMicrosoft03.60.9765.0.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\StudioVisual.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe

Drops file in Windows directory 51 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\x86_netfx4-alink_dll_b03f5f7f11d50a3a_4.0.15805.0_none_9f8467d2c3cf975d\Frameworkalink.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-l..ncontroller-library_31bf3856ad364e35_10.0.19041.264_none_90ba872b37ccf2cd\OperatingSystem.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.DeveloperLicense.Commands\v4.0_10.0.0.0__31bf3856ad364e35\SystemWindows.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-00000470_31bf3856ad364e35_10.0.19041.1_none_a715b57b383fb0e0\kbdiboOperating.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_microsoft.powershel..ctivities.resources_31bf3856ad364e35_10.0.19041.1_de-de_f50e6b2575b489c9\UtilityPowerShell.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\System.ServiceModel.Resources\3.0.0.0_fr_b77a5c561934e089\servicemodelsystem.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..d-experience-smsapi_31bf3856ad364e35_10.0.19041.264_none_df4a5f86ba17c864\WindowsSystem.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Appx.PackageManager.Commands.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\PackageManagerMicrosoft.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\v4.0_3.0.0.0_es_31bf3856ad364e35\operativoWindows10.0.19041.1.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ingshandlers-region_31bf3856ad364e35_10.0.19041.1081_none_1830f07005c2525e\WindowsSettingsHandlersRegion10.0.19041.1081.160101.0800.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-fax-status-monitor_31bf3856ad364e35_10.0.19041.1_none_3f361b1396dc1e32\OperatingSystem10.0.19041.1.160101.0800.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..licy-admin-scrptadm_31bf3856ad364e35_10.0.19041.572_none_b9931025f81d7b1b\Windowsscrptadm.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_10.0.19041.1_en-us_ce7a85b750327612\OperatingMicrosoft.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob\v4.0_3.0.0.0__31bf3856ad364e35\MicrosoftScheduledJob10.0.19041.1.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\Boot\EFI\lv-LV\bootmgrOperetajsistema.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..keyboard-korean_103_31bf3856ad364e35_10.0.19041.1_none_778aa19a76adf622\Systemkbd103.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_serviceinitiatedhealing-client.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b7ddfde84b20e5d9\MicrosoftWindows.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..e-runtime.resources_31bf3856ad364e35_10.0.19041.1_de-de_57a31ef671a9a1d9\RuntimeTestingFramework.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Appx.PackageManager.Commands.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\dexploitationWindowsR10.0.19041.1.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-updatepolicy.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_501f7a1318196640\ReaderMicrosoft.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ja-JP\FrameworkServiceModelEvents.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_dual_usbxhci.inf_31bf3856ad364e35_10.0.19041.1266_none_b7aaeaf31645aa79\MicrosoftWindows10.0.19041.1266.160101.0800.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ementmanifests-base_31bf3856ad364e35_10.0.19041.746_none_a3f2b036f8e7a3ca\WindowsOperating.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ci-wldp-dll_31bf3856ad364e35_10.0.19041.1_none_4af57b1829d0fc36\OperatingWindows.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.19041.1_it-it_df63cdbfa0630f4f\Microsoftoperativo.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-icsigd.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_774c44769cba17a9\icsigdWindows.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\resourcesComSvcConfig.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..xecutable.resources_31bf3856ad364e35_10.0.19041.1_it-it_abd67c7ccdb802a8\SistemaUNLODCTR.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ntlanui2.resources_31bf3856ad364e35_10.0.19041.1_en-us_f8f80d0b800a44cd\Systemntlanui2.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\zippedCompressed.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-cdosys.resources_31bf3856ad364e35_10.0.19041.1_tr-tr_4846895bdfda263c\WindowsMicrosoft6.6.19041.1.160101.0800.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ncdprop.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_765a49f1286c2ce9\OperatingMicrosoft.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..vault-cpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_db746734769920ac\Microsoftoperativo.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\InstallShieldIsIcoRes.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ie-iexpress.resources_31bf3856ad364e35_11.0.19041.1_it-it_9a12d738f9358b2c\WEXTRACTWextract.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\Boot\EFI\zh-TW\WindowsSystem.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..evicehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_8e14bbb3f85d3d50\BetriebssystemWindows.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\en-US\PresentationHostDllFramework285.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-deviceguard-wmi_31bf3856ad364e35_10.0.19041.1_none_a9647c8007eecd32\SystemMicrosoft.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\resourcesPowerShell.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shlwapi.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_3890ce5b80ac9308\WindowsSHLWAPI.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-e..host-peer.resources_31bf3856ad364e35_10.0.19041.1_es-es_ea31b5d9f466d7e1\operativoWindows.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-syncres.resources_31bf3856ad364e35_10.0.19041.1_en-us_e43cfdce8e5a628f\OperatingSyncRes.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-usoclient_31bf3856ad364e35_10.0.19041.1266_none_23ae8c0349f1b325\MicrosoftWindows.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sstext3d.resources_31bf3856ad364e35_10.0.19041.1_de-de_966dad649336c317\BetriebssystemWindows.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\Boot\PCAT\pl-PL\Systembootmgr.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rasbase-ndiswan_31bf3856ad364e35_10.0.19041.1151_none_6808a5d10c74690a\WindowsOperating10.0.19041.1151.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\diagnostics\system\Power\it-IT\SistemaWindows10.0.19041.1.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\3082\mscoreesmscoreeis4.8.4084.0.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\ImmersiveControlPanel\en-US\OperatingSystemSettings10.0.19041.1266.160101.0800.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
File created	C:\Windows\IME\MicrosoftSpTip.exe	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
4324	4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4d500517676b12e48615e886b1241fb1_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\MicrosoftPresentation.exe

Filesize
159KB

MD5
4d500517676b12e48615e886b1241fb1

SHA1
55bf3d261a9ad015212d61c06aa30dfba9903156

SHA256
c5d161943588300c4677255d50aeacd9d6552d2d5d4f7a4202630f04abc7090b

SHA512
120e76154aa9c22603e47d004e5bfeebe63dc1de35094b703659b6b849e43e5ddf0dea2c9b6c1d3c4b5eb57621a29d67122a325f51fb6788f449184393d91285

Download Submit
memory/4324-3-0x0000000000448000-0x000000000044C000-memory.dmp

Filesize
16KB

Download
memory/4324-4-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4324-74-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download