Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 15:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe
-
Size
21KB
-
MD5
5c92248e956852874cfb7d9c07d20780
-
SHA1
d4a352fa8d532cc7358b7fdfad82cff6a58e23a7
-
SHA256
d5fa10d5c7143bb17dcf502c3893532630381bd1ed1132dff6906ee082ebec45
-
SHA512
e3966bc3d7deb4b2e023ab5e1fab1f8ac8e47f7418607fe72bf6730be099a7a3df019d3cb9a02e272ef0d08e152e4fd522dcdbbeba1639fbde521a02d432b712
-
SSDEEP
384:Vgtawy+cJyi34dW/83Lm5DI8pM77UJtNFI2CsZeXCn8fltC0fU/T4fZB:VgXxni34dW/83Lmd/pMfCtE2uSnGy0fZ
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2832 emsn.exe 2628 emsn.exe 2768 emsn.exe 2596 emsn.exe 952 emsn.exe 2352 emsn.exe 984 emsn.exe 2932 emsn.exe 2256 emsn.exe 2068 emsn.exe 1704 emsn.exe 2992 emsn.exe 2912 emsn.exe 3012 emsn.exe 3040 emsn.exe 2928 emsn.exe 304 emsn.exe 2548 emsn.exe 1040 emsn.exe 1300 emsn.exe 1920 emsn.exe 1932 emsn.exe 2236 emsn.exe 1852 emsn.exe 844 emsn.exe 2444 emsn.exe 712 emsn.exe 1428 emsn.exe 2532 emsn.exe 1356 emsn.exe 1524 emsn.exe 1916 emsn.exe 328 emsn.exe 872 emsn.exe 2416 emsn.exe 2496 emsn.exe 1264 emsn.exe 2892 emsn.exe 2136 emsn.exe 1764 emsn.exe 896 emsn.exe 324 emsn.exe 1672 emsn.exe 2432 emsn.exe 2872 emsn.exe 2728 emsn.exe 1568 emsn.exe 2848 emsn.exe 2264 emsn.exe 2800 emsn.exe 2732 emsn.exe 2768 emsn.exe 2648 emsn.exe 2652 emsn.exe 1820 emsn.exe 576 emsn.exe 1804 emsn.exe 984 emsn.exe 1332 emsn.exe 580 emsn.exe 2520 emsn.exe 2268 emsn.exe 2576 emsn.exe 2948 emsn.exe -
Loads dropped DLL 64 IoCs
pid Process 2812 5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe 2812 5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe 2832 emsn.exe 2628 emsn.exe 2628 emsn.exe 2768 emsn.exe 2596 emsn.exe 2596 emsn.exe 952 emsn.exe 2352 emsn.exe 2352 emsn.exe 984 emsn.exe 2932 emsn.exe 2932 emsn.exe 2256 emsn.exe 2068 emsn.exe 2068 emsn.exe 1704 emsn.exe 2992 emsn.exe 2992 emsn.exe 2912 emsn.exe 3012 emsn.exe 3012 emsn.exe 3040 emsn.exe 2928 emsn.exe 2928 emsn.exe 304 emsn.exe 2548 emsn.exe 2548 emsn.exe 1040 emsn.exe 1300 emsn.exe 1300 emsn.exe 1920 emsn.exe 1932 emsn.exe 1932 emsn.exe 2236 emsn.exe 1852 emsn.exe 1852 emsn.exe 844 emsn.exe 2444 emsn.exe 2444 emsn.exe 1428 emsn.exe 1428 emsn.exe 1356 emsn.exe 1356 emsn.exe 1916 emsn.exe 1916 emsn.exe 872 emsn.exe 872 emsn.exe 2496 emsn.exe 2496 emsn.exe 2892 emsn.exe 2892 emsn.exe 1764 emsn.exe 1764 emsn.exe 324 emsn.exe 324 emsn.exe 2432 emsn.exe 2432 emsn.exe 2728 emsn.exe 2728 emsn.exe 2848 emsn.exe 2848 emsn.exe 2800 emsn.exe -
resource yara_rule behavioral1/memory/2812-6-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2812-5-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2812-14-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2628-30-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2628-28-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2628-27-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2596-44-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2596-43-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2596-45-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2352-64-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2932-77-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2068-90-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2992-103-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/3012-116-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2928-129-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2548-143-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1300-151-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1300-156-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1932-169-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1852-182-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2444-189-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1428-199-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1356-207-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1916-215-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/872-223-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2496-231-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2892-239-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1764-247-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/324-255-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2432-263-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2728-271-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2848-279-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2800-287-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2768-295-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2652-303-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/576-311-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/984-319-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/580-327-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2268-335-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2948-344-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2912-352-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2908-360-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2920-368-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/772-376-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1296-384-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2540-392-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2504-400-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1968-406-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2024-416-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2568-424-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2532-432-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1664-440-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/908-448-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2284-456-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1952-464-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1480-472-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2740-480-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2888-486-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2804-493-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2824-502-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2780-510-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/2760-518-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1820-526-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral1/memory/1844-534-0x0000000000400000-0x000000000044B000-memory.dmp upx -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe emsn.exe File created C:\Windows\SysWOW64\emsn.exe emsn.exe File created C:\Windows\SysWOW64\emsn.exe emsn.exe File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe emsn.exe File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe emsn.exe File created C:\Windows\SysWOW64\emsn.exe emsn.exe File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe emsn.exe File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe 5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe emsn.exe File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe Process not Found File created C:\Windows\SysWOW64\emsn.exe emsn.exe File created C:\Windows\SysWOW64\emsn.exe Process not Found -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 2840 set thread context of 2812 2840 5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe 30 PID 2832 set thread context of 2628 2832 emsn.exe 32 PID 2768 set thread context of 2596 2768 emsn.exe 34 PID 952 set thread context of 2352 952 emsn.exe 36 PID 984 set thread context of 2932 984 emsn.exe 38 PID 2256 set thread context of 2068 2256 emsn.exe 40 PID 1704 set thread context of 2992 1704 emsn.exe 42 PID 2912 set thread context of 3012 2912 emsn.exe 44 PID 3040 set thread context of 2928 3040 emsn.exe 46 PID 304 set thread context of 2548 304 emsn.exe 48 PID 1040 set thread context of 1300 1040 emsn.exe 50 PID 1920 set thread context of 1932 1920 emsn.exe 52 PID 2236 set thread context of 1852 2236 emsn.exe 54 PID 844 set thread context of 2444 844 emsn.exe 56 PID 712 set thread context of 1428 712 emsn.exe 58 PID 2532 set thread context of 1356 2532 emsn.exe 60 PID 1524 set thread context of 1916 1524 emsn.exe 62 PID 328 set thread context of 872 328 emsn.exe 64 PID 2416 set thread context of 2496 2416 emsn.exe 66 PID 1264 set thread context of 2892 1264 emsn.exe 68 PID 2136 set thread context of 1764 2136 emsn.exe 70 PID 896 set thread context of 324 896 emsn.exe 72 PID 1672 set thread context of 2432 1672 emsn.exe 74 PID 2872 set thread context of 2728 2872 emsn.exe 76 PID 1568 set thread context of 2848 1568 emsn.exe 78 PID 2264 set thread context of 2800 2264 emsn.exe 80 PID 2732 set thread context of 2768 2732 emsn.exe 82 PID 2648 set thread context of 2652 2648 emsn.exe 84 PID 1820 set thread context of 576 1820 emsn.exe 86 PID 1804 set thread context of 984 1804 emsn.exe 88 PID 1332 set thread context of 580 1332 emsn.exe 90 PID 2520 set thread context of 2268 2520 emsn.exe 92 PID 2576 set thread context of 2948 2576 emsn.exe 94 PID 3004 set thread context of 2912 3004 emsn.exe 96 PID 2684 set thread context of 2908 2684 emsn.exe 98 PID 2860 set thread context of 2920 2860 emsn.exe 100 PID 304 set thread context of 772 304 emsn.exe 102 PID 2028 set thread context of 1296 2028 emsn.exe 104 PID 2692 set thread context of 2540 2692 emsn.exe 106 PID 2020 set thread context of 2504 2020 emsn.exe 108 PID 2168 set thread context of 1968 2168 emsn.exe 110 PID 1644 set thread context of 2024 1644 emsn.exe 112 PID 1960 set thread context of 2568 1960 emsn.exe 114 PID 1736 set thread context of 2532 1736 emsn.exe 116 PID 1512 set thread context of 1664 1512 emsn.exe 118 PID 1508 set thread context of 908 1508 emsn.exe 120 PID 2220 set thread context of 2284 2220 emsn.exe 122 PID 2292 set thread context of 1952 2292 emsn.exe 124 PID 1780 set thread context of 1480 1780 emsn.exe 126 PID 548 set thread context of 2740 548 emsn.exe 128 PID 2836 set thread context of 2804 2836 emsn.exe 132 PID 2988 set thread context of 2824 2988 emsn.exe 134 PID 2720 set thread context of 2780 2720 emsn.exe 136 PID 2636 set thread context of 2760 2636 emsn.exe 138 PID 2672 set thread context of 1820 2672 emsn.exe 140 PID 848 set thread context of 1844 848 emsn.exe 142 PID 2964 set thread context of 2260 2964 emsn.exe 144 PID 1800 set thread context of 2072 1800 emsn.exe 146 PID 3056 set thread context of 668 3056 emsn.exe 148 PID 2572 set thread context of 3004 2572 emsn.exe 150 PID 2852 set thread context of 3020 2852 emsn.exe 152 PID 2820 set thread context of 2952 2820 emsn.exe 154 PID 1148 set thread context of 2656 1148 emsn.exe 156 PID 2580 set thread context of 1152 2580 emsn.exe 158 -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2840 wrote to memory of 2812 2840 5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe 30 PID 2840 wrote to memory of 2812 2840 5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe 30 PID 2840 wrote to memory of 2812 2840 5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe 30 PID 2840 wrote to memory of 2812 2840 5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe 30 PID 2840 wrote to memory of 2812 2840 5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe 30 PID 2840 wrote to memory of 2812 2840 5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe 30 PID 2812 wrote to memory of 2832 2812 5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe 31 PID 2812 wrote to memory of 2832 2812 5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe 31 PID 2812 wrote to memory of 2832 2812 5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe 31 PID 2812 wrote to memory of 2832 2812 5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe 31 PID 2832 wrote to memory of 2628 2832 emsn.exe 32 PID 2832 wrote to memory of 2628 2832 emsn.exe 32 PID 2832 wrote to memory of 2628 2832 emsn.exe 32 PID 2832 wrote to memory of 2628 2832 emsn.exe 32 PID 2832 wrote to memory of 2628 2832 emsn.exe 32 PID 2832 wrote to memory of 2628 2832 emsn.exe 32 PID 2628 wrote to memory of 2768 2628 emsn.exe 33 PID 2628 wrote to memory of 2768 2628 emsn.exe 33 PID 2628 wrote to memory of 2768 2628 emsn.exe 33 PID 2628 wrote to memory of 2768 2628 emsn.exe 33 PID 2768 wrote to memory of 2596 2768 emsn.exe 34 PID 2768 wrote to memory of 2596 2768 emsn.exe 34 PID 2768 wrote to memory of 2596 2768 emsn.exe 34 PID 2768 wrote to memory of 2596 2768 emsn.exe 34 PID 2768 wrote to memory of 2596 2768 emsn.exe 34 PID 2768 wrote to memory of 2596 2768 emsn.exe 34 PID 2596 wrote to memory of 952 2596 emsn.exe 35 PID 2596 wrote to memory of 952 2596 emsn.exe 35 PID 2596 wrote to memory of 952 2596 emsn.exe 35 PID 2596 wrote to memory of 952 2596 emsn.exe 35 PID 952 wrote to memory of 2352 952 emsn.exe 36 PID 952 wrote to memory of 2352 952 emsn.exe 36 PID 952 wrote to memory of 2352 952 emsn.exe 36 PID 952 wrote to memory of 2352 952 emsn.exe 36 PID 952 wrote to memory of 2352 952 emsn.exe 36 PID 952 wrote to memory of 2352 952 emsn.exe 36 PID 2352 wrote to memory of 984 2352 emsn.exe 37 PID 2352 wrote to memory of 984 2352 emsn.exe 37 PID 2352 wrote to memory of 984 2352 emsn.exe 37 PID 2352 wrote to memory of 984 2352 emsn.exe 37 PID 984 wrote to memory of 2932 984 emsn.exe 38 PID 984 wrote to memory of 2932 984 emsn.exe 38 PID 984 wrote to memory of 2932 984 emsn.exe 38 PID 984 wrote to memory of 2932 984 emsn.exe 38 PID 984 wrote to memory of 2932 984 emsn.exe 38 PID 984 wrote to memory of 2932 984 emsn.exe 38 PID 2932 wrote to memory of 2256 2932 emsn.exe 39 PID 2932 wrote to memory of 2256 2932 emsn.exe 39 PID 2932 wrote to memory of 2256 2932 emsn.exe 39 PID 2932 wrote to memory of 2256 2932 emsn.exe 39 PID 2256 wrote to memory of 2068 2256 emsn.exe 40 PID 2256 wrote to memory of 2068 2256 emsn.exe 40 PID 2256 wrote to memory of 2068 2256 emsn.exe 40 PID 2256 wrote to memory of 2068 2256 emsn.exe 40 PID 2256 wrote to memory of 2068 2256 emsn.exe 40 PID 2256 wrote to memory of 2068 2256 emsn.exe 40 PID 2068 wrote to memory of 1704 2068 emsn.exe 41 PID 2068 wrote to memory of 1704 2068 emsn.exe 41 PID 2068 wrote to memory of 1704 2068 emsn.exe 41 PID 2068 wrote to memory of 1704 2068 emsn.exe 41 PID 1704 wrote to memory of 2992 1704 emsn.exe 42 PID 1704 wrote to memory of 2992 1704 emsn.exe 42 PID 1704 wrote to memory of 2992 1704 emsn.exe 42 PID 1704 wrote to memory of 2992 1704 emsn.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\5c92248e956852874cfb7d9c07d20780_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2912 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3040 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:304 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1040 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1920 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2236 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:844 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:712 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2532 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1524 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:328 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2416 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1264 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2136 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:896 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1672 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2872 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1568 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2264 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2732 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe54⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2648 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe56⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1820 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe58⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1804 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe60⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1332 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe62⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2520 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe64⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2576 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe66⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"67⤵
- Suspicious use of SetThreadContext
PID:3004 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe68⤵PID:2912
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"69⤵
- Suspicious use of SetThreadContext
PID:2684 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe70⤵PID:2908
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"71⤵
- Suspicious use of SetThreadContext
PID:2860 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe72⤵PID:2920
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"73⤵
- Suspicious use of SetThreadContext
PID:304 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe74⤵PID:772
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"75⤵
- Suspicious use of SetThreadContext
PID:2028 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe76⤵PID:1296
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"77⤵
- Suspicious use of SetThreadContext
PID:2692 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe78⤵PID:2540
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"79⤵
- Suspicious use of SetThreadContext
PID:2020 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe80⤵PID:2504
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"81⤵
- Suspicious use of SetThreadContext
PID:2168 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe82⤵PID:1968
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"83⤵
- Suspicious use of SetThreadContext
PID:1644 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe84⤵PID:2024
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"85⤵
- Suspicious use of SetThreadContext
PID:1960 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe86⤵PID:2568
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"87⤵
- Suspicious use of SetThreadContext
PID:1736 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe88⤵PID:2532
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"89⤵
- Suspicious use of SetThreadContext
PID:1512 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe90⤵PID:1664
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"91⤵
- Suspicious use of SetThreadContext
PID:1508 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe92⤵PID:908
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"93⤵
- Suspicious use of SetThreadContext
PID:2220 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe94⤵PID:2284
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"95⤵
- Suspicious use of SetThreadContext
PID:2292 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe96⤵PID:1952
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"97⤵
- Suspicious use of SetThreadContext
PID:1780 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe98⤵PID:1480
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"99⤵
- Suspicious use of SetThreadContext
PID:548 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe100⤵PID:2740
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"101⤵PID:2132
-
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe102⤵PID:2888
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"103⤵
- Suspicious use of SetThreadContext
PID:2836 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe104⤵PID:2804
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"105⤵
- Suspicious use of SetThreadContext
PID:2988 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe106⤵PID:2824
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"107⤵
- Suspicious use of SetThreadContext
PID:2720 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe108⤵PID:2780
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"109⤵
- Suspicious use of SetThreadContext
PID:2636 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe110⤵PID:2760
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"111⤵
- Suspicious use of SetThreadContext
PID:2672 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe112⤵PID:1820
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"113⤵
- Suspicious use of SetThreadContext
PID:848 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe114⤵PID:1844
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"115⤵
- Suspicious use of SetThreadContext
PID:2964 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe116⤵PID:2260
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"117⤵
- Suspicious use of SetThreadContext
PID:1800 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe118⤵PID:2072
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"119⤵
- Suspicious use of SetThreadContext
PID:3056 -
C:\Windows\SysWOW64\emsn.exeC:\Windows\SysWOW64\emsn.exe120⤵PID:668
-
C:\Windows\SysWOW64\emsn.exe"C:\Windows\system32\emsn.exe"121⤵
- Suspicious use of SetThreadContext
PID:2572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-