89f51809c76eace756a09b5ee09ea76659c38c3e87050a6c64bd75b632238b9b

Analysis

max time kernel
132s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28/07/2024, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe
Size

239KB
MD5

05280a5b1f6eb9a2933d772558037ded
SHA1

012780b59dddd11e587e775c9ae9a454c6cf5e56
SHA256

89f51809c76eace756a09b5ee09ea76659c38c3e87050a6c64bd75b632238b9b
SHA512

8f48fc89d38a5e966a931b5dfb03e4c376a087e8a35d334fc0d78cc23c53b72cad0baa49b1f87376739268dd7a8afd8ff8ecdd46738f4cd48eaf03909991b6c4
SSDEEP

6144:rqppuGRYx4H712f/SBTpzZA6rXD40b+7TJS5:rqpNtb1YIp9AI4FS5

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
804	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe
3064	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe
3124	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe
3556	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe
2760	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe
4948	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe
940	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe
3360	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe
4552	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe
4244	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe
4940	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe
3892	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe
376	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe
384	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe
1936	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe
4028	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe
1864	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe
3520	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe
4364	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe
2020	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe
636	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe
2532	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe
4368	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe
1104	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe
3756	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe
3064	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202y.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a358055f33d7df16	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 804	4692	05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe	86
PID 4692 wrote to memory of 804	4692	05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe	86
PID 4692 wrote to memory of 804	4692	05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe	86
PID 804 wrote to memory of 3064	804	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe	87
PID 804 wrote to memory of 3064	804	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe	87
PID 804 wrote to memory of 3064	804	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe	87
PID 3064 wrote to memory of 3124	3064	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe	88
PID 3064 wrote to memory of 3124	3064	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe	88
PID 3064 wrote to memory of 3124	3064	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe	88
PID 3124 wrote to memory of 3556	3124	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe	89
PID 3124 wrote to memory of 3556	3124	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe	89
PID 3124 wrote to memory of 3556	3124	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe	89
PID 3556 wrote to memory of 2760	3556	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe	90
PID 3556 wrote to memory of 2760	3556	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe	90
PID 3556 wrote to memory of 2760	3556	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe	90
PID 2760 wrote to memory of 4948	2760	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe	91
PID 2760 wrote to memory of 4948	2760	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe	91
PID 2760 wrote to memory of 4948	2760	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe	91
PID 4948 wrote to memory of 940	4948	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe	92
PID 4948 wrote to memory of 940	4948	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe	92
PID 4948 wrote to memory of 940	4948	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe	92
PID 940 wrote to memory of 3360	940	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe	93
PID 940 wrote to memory of 3360	940	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe	93
PID 940 wrote to memory of 3360	940	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe	93
PID 3360 wrote to memory of 4552	3360	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe	94
PID 3360 wrote to memory of 4552	3360	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe	94
PID 3360 wrote to memory of 4552	3360	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe	94
PID 4552 wrote to memory of 4244	4552	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe	95
PID 4552 wrote to memory of 4244	4552	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe	95
PID 4552 wrote to memory of 4244	4552	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe	95
PID 4244 wrote to memory of 4940	4244	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe	96
PID 4244 wrote to memory of 4940	4244	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe	96
PID 4244 wrote to memory of 4940	4244	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe	96
PID 4940 wrote to memory of 3892	4940	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe	97
PID 4940 wrote to memory of 3892	4940	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe	97
PID 4940 wrote to memory of 3892	4940	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe	97
PID 3892 wrote to memory of 376	3892	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe	98
PID 3892 wrote to memory of 376	3892	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe	98
PID 3892 wrote to memory of 376	3892	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe	98
PID 376 wrote to memory of 384	376	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe	100
PID 376 wrote to memory of 384	376	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe	100
PID 376 wrote to memory of 384	376	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe	100
PID 384 wrote to memory of 1936	384	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe	101
PID 384 wrote to memory of 1936	384	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe	101
PID 384 wrote to memory of 1936	384	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe	101
PID 1936 wrote to memory of 4028	1936	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe	103
PID 1936 wrote to memory of 4028	1936	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe	103
PID 1936 wrote to memory of 4028	1936	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe	103
PID 4028 wrote to memory of 1864	4028	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe	104
PID 4028 wrote to memory of 1864	4028	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe	104
PID 4028 wrote to memory of 1864	4028	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe	104
PID 1864 wrote to memory of 3520	1864	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe	105
PID 1864 wrote to memory of 3520	1864	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe	105
PID 1864 wrote to memory of 3520	1864	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe	105
PID 3520 wrote to memory of 4364	3520	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe	106
PID 3520 wrote to memory of 4364	3520	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe	106
PID 3520 wrote to memory of 4364	3520	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe	106
PID 4364 wrote to memory of 2020	4364	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe	107
PID 4364 wrote to memory of 2020	4364	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe	107
PID 4364 wrote to memory of 2020	4364	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe	107
PID 2020 wrote to memory of 636	2020	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe	108
PID 2020 wrote to memory of 636	2020	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe	108
PID 2020 wrote to memory of 636	2020	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe	108
PID 636 wrote to memory of 2532	636	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe	109

C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4692
- \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe
  c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:804
- - \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe
    c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe
      c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3124
    - - \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3556
      - \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3756
        
        \??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202y.exe
        
        c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202y.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe

Filesize
239KB

MD5
660cb0a5eec2e6fccd9374c44ad4cc42

SHA1
a07ab5149ab5e06b85f7bc1697a2feb87e3bbb3c

SHA256
22f13873927641f87d1b5dcc6c96c3b66c79e66c2475e4229c026fa307211bb4

SHA512
74d62929138f6688a2252f8493345778a7685648da1acfd83ed8c930a28b1a0a18b28eb45d97ab7080ee5754a0950be097666f893904b15faa1f36e2d9977afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe

Filesize
240KB

MD5
a039a5183f97f7bd25a6d751854f4d3e

SHA1
65731a87de3601f9f995f64cb2cfd4d9e54e6c0e

SHA256
219eeb16433f395a56e78a0ff0e0fe0c229528d48b96f077f828f3879bc3710e

SHA512
acea998c6d366a52f51850d8a3cb379b71ff6845e9c3f5f33e7fefd90ecc2dbfdad28f59b07a6f46dd9b1365b7d716c4214b3963267caa42db3ac72fc015fd76

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe

Filesize
240KB

MD5
b6494a2a09c6497e4436d2fb9a311163

SHA1
2e7cbd8bb99c2f6c8f1c97e673a1cb2c17dc4b8d

SHA256
ef01c74da1cb6755d80a1ef317dacfe3b4c7f379c282352f82b248710af15020

SHA512
01df2cf899b75181f1ad105c400d00a1d2bde0b38e02ae34bb40b7f5329c20700082873cb45cb55c3e33d50992e271de170da44eceec42d0d4421ce5fd647420

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe

Filesize
240KB

MD5
5d4214673ed303658cf02e953ee7715f

SHA1
55fdbdea59c7a623e4ad57280ffa1769567070bc

SHA256
a88e9f11f0c65c8551515b37f04150cf650929823d15887a769477128d1fbca9

SHA512
31f67f21f61b4f6ec8d3bf400190c7418a67aeb43e1b173e12cb7ab2db5ca6e6120bfcdb6f65c1182d398055ca4c56ac23ef2c95a3327b4250ef8566bdabb201

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe

Filesize
240KB

MD5
3e17112e813e76f9836f4614479457b6

SHA1
a94f7d97d5990331fccee7a69e23e7c9e89a2c92

SHA256
854d835928436387c39abdf379b7c296ec81cead11833274e4558ef74f85ba65

SHA512
176f02079bd3a6a7c8b86a4f9d0a445110fb09ac4695a93d27adcc40f148d5b18d2a92f4b66be09900043176b1d028d18c57a4cecf88dc06571fadf2764e0b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe

Filesize
241KB

MD5
55b6ea045448acf03d4c91a85a15ffe7

SHA1
0213747402ca5c2a16920cf8838300baa7e05464

SHA256
b5d0f046f2281306cc47cf5a2dfcc886f4792299768523ee8956ef137b8cf418

SHA512
7a0d9f92042c8cfd5935a340be4b2d173e6704a250d45906e5fde96584ad6c622e4ef8e6531e7831ffb4fe5e48fc102786768025d92f6c4904bc5d5ee02d76f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe

Filesize
241KB

MD5
d2f0cd98aa3acbd8b7a0eef7cfbcf094

SHA1
f6fa8d2599529fe387c7d70f7a4f29466443b1cb

SHA256
e99f3114f8bbe17e912dd062bdcdd15e5c44807a7edd7ad2d707998d465f0888

SHA512
29fdfe78da58c8f2eb4d9587af894e7cee78497a7e689dd8f605a00b25b9851c374857d7d8f0b7bb821b3c108f6319875d9bdae139faa2bef386fa1962a170e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe

Filesize
241KB

MD5
7353efd5b6153b184c39d856964df7d2

SHA1
217fcf359302324ed10a73fcfea14ad584f98e94

SHA256
9bdb1c0432268dc102b23fb2f16e430bdef343d3e822ed55bef70267718011d0

SHA512
0418f5a72c26abf0dd1fd606732308bc20a1d6ea5af78c7b3423600d5167140bd7f42972d8102eabb48328057e2acc57dcd2229d8f564111102f803d04d32b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe

Filesize
242KB

MD5
a3b573051d68505cb537bc86c388d522

SHA1
21f6c7ceb29410d13bfb7a1a15677ae1d1387a16

SHA256
1cb1a7102fd7c1a2e7f1df8251c21719a3831f1ebf8e49496bba4444fc169bc5

SHA512
94072cfc3ced131c52b2885ddb661079c6ee369cc412130d7753ee363d36fd3eb4235c11fec0b2af37d613d96ae1e3677a74191be877c598b750a7e3a5cf0a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe

Filesize
242KB

MD5
6af25e000a5841d9bf47ca4384bed5e0

SHA1
ebafdaf643df96e2f593fd2e99851817e1b475ef

SHA256
9980c8c187212055768743dea8da3fe3096d7f26f77d918c162174e2fac48c44

SHA512
df03e27dcafa7d953e7f2e28c3669042b563894f92607f5bca6abcc7d96d80606b5121639804940cc3716dda645032c4ad95a1bb29317f55692b3afb41371ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe

Filesize
242KB

MD5
ff0b8ad68f3d213903209b156519fb9e

SHA1
bfb445f870b5669e21e36e49cffd6999677ae1b9

SHA256
6e72ff5fd1d0298743aa46b00f2cee2a860b4969ce531eb0321ec96b2c58ebee

SHA512
40cc14a09fda1fd269f983beef1ecc47c6fd3bc53cba92659e9c917f9daa8f005a021ac355800bf65fbaee5f99113bd3a9a8a0d05d209db860ee734bba05abdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe

Filesize
243KB

MD5
e3b57ad0b667e6b1e0bcaf2b6bd97c9a

SHA1
8997558a3ea34c6eaf14fe9b86998a349b8df859

SHA256
bad1dd6ea430150a26ea417a1d1b37d11239f1f5ff79ec05df8847ead1483a58

SHA512
15e64975948c4ba0beb51282de2d6074149cc6fad56566256e99e87a3856d86db049c1e931f2c8d849e13ce7031c659cc078229929cd0b4f9e8ad557448b49f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe

Filesize
243KB

MD5
8bae62f41df17b3a0b04030574b14cca

SHA1
5a3915068ec1225afc925b6aeb76a9b496c4fa2b

SHA256
067eddf20405033148809ec102de3e7ad365bc3b6b5451c1659bc2e771321af1

SHA512
f54a9bc494609843cb24e01fe5cc4a4f762a303475b67e3d380fd9b1d6617c765906a50a9871a4b97454f1e4bc66c8d9e0adef9949bac1f3f4263490f7e5cb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe

Filesize
243KB

MD5
9cf2c89196cfe4de55dc8711a14a701a

SHA1
436ce9a9f906deef5ef85d4994a9f31eaebb56be

SHA256
10f4d66847f92faa021fb000f98fc3a18672b76049275b18e066c1a264919ced

SHA512
21cc8cf038c12cdec63dac9d098cfe642840b357cea39be93ede09879b1957846cbebbb53c8f11b1f02c005f676c7e3a9dbe244e643856e34b9db0702ad97918

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe

Filesize
243KB

MD5
61e310eda9d9bc079e05469510093a0b

SHA1
9c344affc00b37358f0cc9736962a7be5a188a03

SHA256
da033509ec4b7b2907b14d8b9eb9adf25639d1672f81f30003ff313ee0184fe2

SHA512
57b8e2947d7389b90066d217c0a5fa1b4695f3db12242874702dc9c750f3093e6e1d9f955594688a9259b51d8d710ee8e81dc656ac6dff200bda726919c90bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe

Filesize
244KB

MD5
dc9cc81f6849afd202ec8fd43fb8299e

SHA1
7ca3ae2d7c8f03c56163a5c3d522ca86e14858f2

SHA256
b9f6ca01e52adf5604382b84c2b7e6cbcd8e15f32ab3d430617dda9f4e3afa1f

SHA512
1ab417379f112d3f8fc282f8e05f4f71290ac2453fd48e7ab61ae78efc5da6c75c563b88c353a17bbb220d89b9d7f545dd0de74d7b9f7672deab76fc90029cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe

Filesize
244KB

MD5
73f9eb0c18eba5eb160613dedc63d6e3

SHA1
6495af8e1d370bf25a4d1d8bd7b1130ecde5467e

SHA256
3df74b118c091184844f99e4d07e1a434355027ffecf5045e6d97786fbb6c8bd

SHA512
5711df396bcb8dc4b1e20d9374f3bf6c530a1a46b266df18f805b230fb47714f892a9b8ea967b8f88dbaa1b17634bbb38ff0e2fe856af437309b29f921b80784

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe

Filesize
244KB

MD5
5b930688e99504f275db4fed4730fbac

SHA1
2ea242f7f02609fca0f56004bcc5878130b04f86

SHA256
a3045f29a72f33c74b5ab1af468ceae0dc3bd602cdadcaa0f97111ca668c4af0

SHA512
972d5fd45c4994f0997341af25548936273f82dfd74e676b5f2c2d62f1e05c07f6107331e331f68895351680e5f90e27388c1ddd746001be374cfd227d52c1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe

Filesize
244KB

MD5
b8ce69a2105a5c24fe4c535a5f61f358

SHA1
5ed6ed8d7a400c298ebc3272a83758f2612a94cb

SHA256
9f1ec1abd51dbfa86517074f84aa7e497d9a16fdfc5ef1ed966728245b2f54d8

SHA512
ded36fc406ef37736bbeadc140c1765ef0e09abdb1410fde26b2cca0011efda6d1f3966c0f1c2a2adcb0ad4999ce7373d5a423755cbf6cb0e8f88505c6ffd57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe

Filesize
245KB

MD5
198e864358529414696eaf6a619212b6

SHA1
84aa8a750f19d480d03932fb417f82b0a0eeec85

SHA256
0281600aaded5464a2d98d5667694f307b4d4ade738b8d7207a67f557832a210

SHA512
a62d6dea3e71f04947ab9a61d90ff8400717ae04dd3482283dc21f9013599dce375b5a7a18fdbefee2130a11ab451e484897d42076b46b42c7b82a0fbc06b8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe

Filesize
245KB

MD5
18c5fa4eafd738024124460ae9e40734

SHA1
509d8d18dc5d679d9e1f019152ea11715dc537b5

SHA256
0b04379e2655d7c6246981966b9e4deb3720bf88a117257a4dcb94294ac0eb34

SHA512
6af7830d326ce390b8e909d5e9db05891719fad7e3878da598bf99b45e149650a93607a5ce5130f8aa138ab3773ac67887c50b81f9430e077d954e5c0cd024cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe

Filesize
245KB

MD5
8326d5f36ef8b3ac603147f03b8f3333

SHA1
a7f6b6c1bc41977946001f0173ac3a367b2c0961

SHA256
8e7494f7ad0dcc8d40573957c735ea476e0797f206984dd4098f6d54b7254acd

SHA512
df8b0b08f870482545b9e34a46fc31d41d8f5bb32af6e05878c1c7e4ab76c9e805476eb57c7c3ceda790101c6d75395ba2892b96bce8587867374c1308c03dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202y.exe

Filesize
245KB

MD5
ef00969e25bb8beabc678da3a708c489

SHA1
bafd287271d5c4dad9252fa100a61b0242e530e5

SHA256
2d13bfd2ce93e7a3693fa8d4b8653fb6907196f42a8812dfbc9e2a4a3bc461bc

SHA512
ec7bd47cd747b172d0d72aa032cbb2de8af4ea1f0c5fec19ee0d1ceec5b0467222b1b2ea51118bdbae48ab500d1284a8444417e094643f4ffe612bc37b1f3df1

Download Submit
\??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe

Filesize
241KB

MD5
00e04a95c63b75a325903e1bf2f709ea

SHA1
c2925025261ada685f63e0f5510d553d6fd397fc

SHA256
74ee0750ee66f7959c531bce66e188c2ee69476ccde9b627fe144c79ac9d585c

SHA512
d3cfc5955961a6347263c5ab7ef84d3037cadec7655137348e526498afbc52eaa4fd3f43625fecbcf267b857077cd62c9f53fb515fde8b28be1698304d320d4f

Download Submit
\??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe

Filesize
241KB

MD5
c78a598b7e88808b01c21d706e78d4df

SHA1
e2b1c75b2e52d08e4fba05fe5271d19b1072bb19

SHA256
e1a0c277054a7cc6907bc1537ce013554f02f3f359cccc5de57376532a8a933b

SHA512
5bf2d1b4f645d3c5b35b2f980554bee5a92fdd35065d0222e406e55e4f58f62da58e74842a731043b85b8b9c056ab68f30b0e874f3cfb8c97c74728eb4480457

Download Submit
\??\c:\users\admin\appdata\local\temp\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe

Filesize
242KB

MD5
9d4646b57d98f762950687f5c1eed15b

SHA1
2f951a562a0431e9d2e5687cac8296ba00f302ae

SHA256
5580e3ab9e1fcc40144435dc914eee1b0c7c98bc496a76fea290800581311790

SHA512
6725a19cbb651a9437b91636ed0b69aabe1c7fceaae6c32c1b09da701efb0d9cb7f4dd1e3ffae73027556ef60551b6a945abc4217ffcb6edfa15c52e710cec0e

Download Submit
memory/376-132-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/376-141-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/384-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/636-220-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/804-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/940-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1104-253-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1104-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1864-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1864-180-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1936-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2020-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2532-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2532-222-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2760-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3064-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3064-265-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3124-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3124-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3360-91-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3520-190-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3556-50-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3756-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3892-131-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4028-170-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4244-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4364-201-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4368-242-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4552-101-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4692-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4692-10-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4940-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4940-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4948-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe\""	05280a5b1f6eb9a2933d772558037ded_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202k.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202i.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202r.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202u.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202b.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202g.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202f.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202m.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202t.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202y.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202p.exe\""	05280a5b1f6eb9a2933d772558037ded_jaffacakes118_3202o.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads