89f51809c76eace756a09b5ee09ea76659c38c3e87050a6c64bd75b632238b9b

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
28/07/2024, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe
Size

239KB
MD5

05280a5b1f6eb9a2933d772558037ded
SHA1

012780b59dddd11e587e775c9ae9a454c6cf5e56
SHA256

89f51809c76eace756a09b5ee09ea76659c38c3e87050a6c64bd75b632238b9b
SHA512

8f48fc89d38a5e966a931b5dfb03e4c376a087e8a35d334fc0d78cc23c53b72cad0baa49b1f87376739268dd7a8afd8ff8ecdd46738f4cd48eaf03909991b6c4
SSDEEP

6144:rqppuGRYx4H712f/SBTpzZA6rXD40b+7TJS5:rqpNtb1YIp9AI4FS5

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2700	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe
2788	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe
2900	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe
2596	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe
1236	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe
1052	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe
264	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe
644	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe
1732	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe
1128	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe
624	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe
2392	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe
3032	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe
2864	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe
1272	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe
2120	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe
2076	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe
1952	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe
2524	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe
2272	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe
1776	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe
1032	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe
1960	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe
2368	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe
2760	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe
2716	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
2644	05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe
2644	05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe
2700	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe
2700	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe
2788	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe
2788	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe
2900	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe
2900	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe
2596	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe
2596	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe
1236	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe
1236	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe
1052	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe
1052	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe
264	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe
264	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe
644	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe
644	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe
1732	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe
1732	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe
1128	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe
1128	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe
624	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe
624	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe
2392	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe
2392	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe
3032	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe
3032	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe
2864	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe
2864	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe
1272	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe
1272	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe
2120	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe
2120	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe
2076	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe
2076	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe
1952	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe
1952	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe
2524	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe
2524	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe
2272	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe
2272	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe
1776	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe
1776	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe
1032	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe
1032	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe
1960	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe
1960	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe
2368	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe
2368	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe
2760	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe
2760	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = af502b5fc66fbb50	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202y.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2700	2644	05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2700	2644	05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2700	2644	05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2700	2644	05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2788	2700	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe	31
PID 2700 wrote to memory of 2788	2700	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe	31
PID 2700 wrote to memory of 2788	2700	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe	31
PID 2700 wrote to memory of 2788	2700	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe	31
PID 2788 wrote to memory of 2900	2788	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe	32
PID 2788 wrote to memory of 2900	2788	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe	32
PID 2788 wrote to memory of 2900	2788	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe	32
PID 2788 wrote to memory of 2900	2788	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe	32
PID 2900 wrote to memory of 2596	2900	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe	33
PID 2900 wrote to memory of 2596	2900	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe	33
PID 2900 wrote to memory of 2596	2900	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe	33
PID 2900 wrote to memory of 2596	2900	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe	33
PID 2596 wrote to memory of 1236	2596	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe	34
PID 2596 wrote to memory of 1236	2596	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe	34
PID 2596 wrote to memory of 1236	2596	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe	34
PID 2596 wrote to memory of 1236	2596	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe	34
PID 1236 wrote to memory of 1052	1236	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe	35
PID 1236 wrote to memory of 1052	1236	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe	35
PID 1236 wrote to memory of 1052	1236	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe	35
PID 1236 wrote to memory of 1052	1236	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe	35
PID 1052 wrote to memory of 264	1052	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe	36
PID 1052 wrote to memory of 264	1052	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe	36
PID 1052 wrote to memory of 264	1052	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe	36
PID 1052 wrote to memory of 264	1052	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe	36
PID 264 wrote to memory of 644	264	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe	37
PID 264 wrote to memory of 644	264	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe	37
PID 264 wrote to memory of 644	264	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe	37
PID 264 wrote to memory of 644	264	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe	37
PID 644 wrote to memory of 1732	644	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe	38
PID 644 wrote to memory of 1732	644	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe	38
PID 644 wrote to memory of 1732	644	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe	38
PID 644 wrote to memory of 1732	644	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe	38
PID 1732 wrote to memory of 1128	1732	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe	39
PID 1732 wrote to memory of 1128	1732	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe	39
PID 1732 wrote to memory of 1128	1732	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe	39
PID 1732 wrote to memory of 1128	1732	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe	39
PID 1128 wrote to memory of 624	1128	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe	40
PID 1128 wrote to memory of 624	1128	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe	40
PID 1128 wrote to memory of 624	1128	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe	40
PID 1128 wrote to memory of 624	1128	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe	40
PID 624 wrote to memory of 2392	624	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe	41
PID 624 wrote to memory of 2392	624	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe	41
PID 624 wrote to memory of 2392	624	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe	41
PID 624 wrote to memory of 2392	624	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe	41
PID 2392 wrote to memory of 3032	2392	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe	42
PID 2392 wrote to memory of 3032	2392	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe	42
PID 2392 wrote to memory of 3032	2392	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe	42
PID 2392 wrote to memory of 3032	2392	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe	42
PID 3032 wrote to memory of 2864	3032	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe	43
PID 3032 wrote to memory of 2864	3032	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe	43
PID 3032 wrote to memory of 2864	3032	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe	43
PID 3032 wrote to memory of 2864	3032	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe	43
PID 2864 wrote to memory of 1272	2864	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe	44
PID 2864 wrote to memory of 1272	2864	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe	44
PID 2864 wrote to memory of 1272	2864	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe	44
PID 2864 wrote to memory of 1272	2864	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe	44
PID 1272 wrote to memory of 2120	1272	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe	45
PID 1272 wrote to memory of 2120	1272	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe	45
PID 1272 wrote to memory of 2120	1272	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe	45
PID 1272 wrote to memory of 2120	1272	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe	45

C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644
- \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe
  c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2700
- - \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe
    c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe
      c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2900
    - - \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1032
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202y.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202y.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe

Filesize
241KB

MD5
e3dddd5ee3b0ae3980925385e6c3a079

SHA1
a4b69ffd6925110d1b5d8f689909b45fd220ff41

SHA256
d8f647dc6b9cc87a6ed8abf7f900bef6abdb700f7bc610c8f3e6342cea1ca916

SHA512
181c29b24b1a7d816125f1c5980784c367e8fdc915c2a06634fef863941390b734a938bac75eff2b8171d3468f20e6033b82794165895c83a60c1270aa9f746d

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe

Filesize
241KB

MD5
e847e95341b0ad9590ab5f1f9b4e1624

SHA1
f1479065a63a54ad516195ab4ea4c07b51bf8395

SHA256
985928c57bb9dea364ba77eea73b3ae326e670f5aeccf136f5e729c5a77bbcb4

SHA512
e484dd56c1a2cff6532c67bf3279548d6296a86cedb8ace13f88957297d51958d5c7b3f3cbc2fad47d574cd476d51ab95e678924f6845a427e0bfa8ec1c963c6

Download Submit
\??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe

Filesize
240KB

MD5
db6c8d84d7f4aff2b6ee8a89aae6350b

SHA1
6accc0f481937392f86616b61bf1118009fa402a

SHA256
a986df225985822e9500d8e6bedc3bd114e84b3fa49d96aeee27a888592a7ae1

SHA512
f558e126e081413d2d6b4b286180221c1de402027d7bac30f6a980ff943cc3db60a25a181b626254a557aed4a05ebce6e175dedd06accf079f7ab9f3774c9f19

Download Submit
\??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe

Filesize
241KB

MD5
512a87e05f1d34102974b8f3df5b7253

SHA1
dcec9913757c9ae12b7f2d7b57f54856e0809f2d

SHA256
266d2cd37dfddf6a53e2be348ac33a6ab22f861662f90cc4ebaaa6c70c346f6e

SHA512
5d7a08f23b76a551c74c993c09c6293fd5634c453ed294b2b1c8066d9823a769f4af290ead6bbe645fc71ef3a8307b20756768ccb2d61dd047b298d3e34a76e7

Download Submit
\??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe

Filesize
241KB

MD5
ccc5ab926cbf3de3c4f02a59b26f7a3f

SHA1
ecea686db838cbe7cc7245aaf26f23975058e0a6

SHA256
e27006a94896616b0a579cfc60c1a146cb82d0c23b8c86636e915a81392a3123

SHA512
75781255eec1ad5d924ae59db366093ea5524229509c59d6b92574df49062da5c1c4729a0a187e592e90b33cc7677805439781a34c92798cd41f8cc5af1e3978

Download Submit
\??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe

Filesize
242KB

MD5
0f8712db56972e56b16c2af6eaf19188

SHA1
bf2644a54834fb7eaa39f1688b44ccdf7ff0ccc6

SHA256
0c3a65eb15a7e069591538785de58ffab1853d6785f2f377299c67c2d8bb676c

SHA512
2f3b08cfe38ce8c1d3f4409577d772c93e6b9554d0805d75070276ac56efc199497a0fa34e816c9ff7741da032077aaec7c32a52d30609a0b6624ba8bf89e36d

Download Submit
\??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe

Filesize
242KB

MD5
1f301f875bfd0330272f595611ad5bc3

SHA1
6467c2c1c1588a75cd83e20bbf30547728a71d65

SHA256
7f29527968e0b3f9e6584414e1879e4907673620f62a6f0f0edb38180c42e63a

SHA512
0d5a711da88d79a833e63d1a50b75f63f58f621a1a0a3ff4b8593b8a0d6753c452c0b0b093e1d64cc2c04525c8b9180faa6e7fe347e24766da6a2281ad9637c0

Download Submit
\??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe

Filesize
242KB

MD5
1eb4c53929d0e4c0d7afc04e17724211

SHA1
fdc457e118f04ebc00717b2437f70330be5eadbe

SHA256
40a98177942b23067d3421f0cb07e5ee3ff4b4a33f0fd9b4fa9e880ae9e95bcd

SHA512
44ff19efe4d683627f0a1a3edbc5ecd37945be516e4e5a895a6feafe61b010cf42cea12d6b0ce5569fac01144b0ac0f713b3c83d8e88d0b6cdfd4206ad1a8a7a

Download Submit
\??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe

Filesize
243KB

MD5
a95224e9d310e808ba5d3c37c41b136f

SHA1
ba5712db59a946af222fa0459f7c16dbef7cdc09

SHA256
191eac551b801c6639f7888dfabdc8da93c15ef968dd5c278c0d1a557d7eb386

SHA512
e0e309e7719110b4a2e3f6dd428e65b3261471bbd4508281d433b388552e0c0f3b581c1755e575533660190b807a73974aa39ccdfe2d395625c632d8a1b395ab

Download Submit
\??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe

Filesize
243KB

MD5
87432b5622fbb4b234802213c15355c6

SHA1
b94fc965cfac458c39ed932d5e773e7f1905a8b5

SHA256
6aa58cd2b99972ea1f0246697d5cd1571c1843b90ffc2e1b3da892669babcc65

SHA512
76e9bffe21f76faae2d5f50d550d3438fb157367deee2385ab656689c9423d0f73896b3324352184ce49b0672f823b8c256e1b7e935644d38eebab22815d72c8

Download Submit
\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe

Filesize
239KB

MD5
bdf079fab7bcc7d1d954e300117d9d66

SHA1
8c264667ca134563eea5760c911827076c24b09e

SHA256
ef51ceb5b6463a68b52b3eb731bf91777ef09669381a98c481117d6f760eddcc

SHA512
aea220b16ce0353fe819329415cfda460052c6cd50c1319678f9ffde0ea935bf9dc17585506269e808e209eccc862ddc9fa76aad15235f0842d40410b0d18c22

Download Submit
\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe

Filesize
240KB

MD5
fd2ab0a4b314ddaab93680846755095e

SHA1
254bcb7a04ab7909763b06c86d6bd26b63a66ddf

SHA256
e7c7d93fb40ef752f1c5a016df44dd1d44671d90100f3817aa6f9dfe320ea223

SHA512
08b85f51ba21029e3ea7e20f71d1b2e4242ae226100915b83aa6bca21137c31a65e59d16b4a541c300fe9ef5d26eb99d476125993d8c336f65cb2c789e6ff0af

Download Submit
\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe

Filesize
240KB

MD5
67b74342b35b7b28453766fde7a83c04

SHA1
ba0f2bde7006d8cc65422b63852459a2aaa26c28

SHA256
c7d51a3819639a97b5e91a077a5fc1ffc72a8b623bbf7e40ea12154b9a872e99

SHA512
59a21b2c9f1c886d021354ea7749f28986103d951dfa7e0b4eba82b489eb6ed01717d67777b6a1c11c6e694600cc445fff16d93beab0306ba3e3f714011ff6ac

Download Submit
\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe

Filesize
240KB

MD5
a6370161d5e960ba078aa22d4385166d

SHA1
419696b3a7eb2d4caef071aef7dc780af1138ec9

SHA256
675812ed46243b6a68c91ac541eaf2c2ddcca80e6be181e0d5a0393e70ac6cbd

SHA512
5ebda536f195f8cde75b4a14bfe878baa6389ee8b782d5b153006841bdb220126124383be63c09115160a7b3dcad9b2d3b75956e6ceab6762bbb130ba7d17b0c

Download Submit
\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe

Filesize
241KB

MD5
a6c60489bcf3ec43ab2c0166d7604dc4

SHA1
29578326986f7584254dc90c0b7f91324f78ca07

SHA256
7c10c58212d9193dabdf45663578ca72b102c75c0fa827684b3b6c4b253c8d18

SHA512
eb168cf2860ebec9b1bdd2884d1576e6bad7992d9c4c46411d7ee6cb732811b78f353542d4e9152e40d685679caca03e04c3b3fe7466392c91b1795972f94a27

Download Submit
\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe

Filesize
242KB

MD5
404964bab0a297fc907e266d6f7f9525

SHA1
71e2535296660b1e5a9625715d5fe4edcd5dabd4

SHA256
a1411d80b8aba43cdeb70f9c9afb5581557b5c989fd5291e8c39e0b6412c338d

SHA512
8a5538dd8985d5d4802c089c10afac92cd120ba27e19ca5394a22077b783affd48881204814d5ce9c0e01f7def8894d9f453597b050ea30fd4fd5e5523d32a60

Download Submit
memory/264-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/264-126-0x0000000000620000-0x0000000000662000-memory.dmp

Filesize
264KB

Download
memory/624-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/624-190-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/644-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1032-333-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1052-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1052-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1128-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1128-174-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1236-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1272-251-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-158-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1776-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1776-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-276-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-287-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1952-288-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1960-344-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2076-264-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2076-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2120-263-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2272-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2368-356-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2368-345-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2392-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2524-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2596-65-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2596-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2644-14-0x0000000002690000-0x00000000026D2000-memory.dmp

Filesize
264KB

Download
memory/2644-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2644-112-0x0000000002690000-0x00000000026D2000-memory.dmp

Filesize
264KB

Download
memory/2644-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2700-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2700-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-369-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2760-368-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2760-357-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-38-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-41-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2788-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2864-236-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2900-49-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2900-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3032-221-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3032-219-0x0000000002680000-0x00000000026C2000-memory.dmp

Filesize
264KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe\""	05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202y.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads