97fa16c0e60ac6685412fc705e6a2dea33be89b1d3b999b5e675741a9f27bb32

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
28-07-2024 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe
Size

321KB
MD5

0497546b77d039b398f1862b6054bd44
SHA1

e2818e53821d7e80a01cb87adeb1915ee29ddaa8
SHA256

97fa16c0e60ac6685412fc705e6a2dea33be89b1d3b999b5e675741a9f27bb32
SHA512

7cae6b064f6530643dbc2ca6d7706bd3c8704440362ce3baa97fd6520420bdbd256e85ea2b866a2266a4c29ad0b40e52ec4be0e2842a696cea167dff9e343f83
SSDEEP

6144:rqppuGRYx4H712f/SBTpzZA6rXD40b+7TJAq:rqpNtb1YIp9AI4FAq

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2624	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe
2648	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe
2312	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe
2524	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe
2136	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe
2428	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe
1652	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe
2100	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe
2724	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe
588	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe
632	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe
1248	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe
2148	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe
2176	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe
1556	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe
2404	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe
1540	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe
572	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe
2304	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe
1856	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe
3024	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe
1928	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe
2132	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe
320	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe
2624	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe
2700	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
2708	0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe
2708	0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe
2624	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe
2624	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe
2648	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe
2648	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe
2312	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe
2312	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe
2524	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe
2524	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe
2136	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe
2136	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe
2428	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe
2428	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe
1652	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe
1652	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe
2100	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe
2100	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe
2724	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe
2724	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe
588	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe
588	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe
632	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe
632	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe
1248	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe
1248	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe
2148	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe
2148	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe
2176	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe
2176	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe
1556	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe
1556	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe
2404	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe
2404	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe
1540	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe
1540	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe
572	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe
572	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe
2304	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe
2304	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe
1856	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe
1856	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe
3024	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe
3024	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe
1928	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe
1928	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe
2132	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe
2132	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe
320	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe
320	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe
2624	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe
2624	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 72e4ea93edc2ee96	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2624	2708	0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2624	2708	0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2624	2708	0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2624	2708	0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2648	2624	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe	31
PID 2624 wrote to memory of 2648	2624	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe	31
PID 2624 wrote to memory of 2648	2624	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe	31
PID 2624 wrote to memory of 2648	2624	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe	31
PID 2648 wrote to memory of 2312	2648	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe	32
PID 2648 wrote to memory of 2312	2648	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe	32
PID 2648 wrote to memory of 2312	2648	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe	32
PID 2648 wrote to memory of 2312	2648	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe	32
PID 2312 wrote to memory of 2524	2312	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe	33
PID 2312 wrote to memory of 2524	2312	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe	33
PID 2312 wrote to memory of 2524	2312	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe	33
PID 2312 wrote to memory of 2524	2312	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe	33
PID 2524 wrote to memory of 2136	2524	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe	34
PID 2524 wrote to memory of 2136	2524	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe	34
PID 2524 wrote to memory of 2136	2524	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe	34
PID 2524 wrote to memory of 2136	2524	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe	34
PID 2136 wrote to memory of 2428	2136	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe	35
PID 2136 wrote to memory of 2428	2136	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe	35
PID 2136 wrote to memory of 2428	2136	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe	35
PID 2136 wrote to memory of 2428	2136	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe	35
PID 2428 wrote to memory of 1652	2428	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe	36
PID 2428 wrote to memory of 1652	2428	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe	36
PID 2428 wrote to memory of 1652	2428	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe	36
PID 2428 wrote to memory of 1652	2428	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe	36
PID 1652 wrote to memory of 2100	1652	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe	37
PID 1652 wrote to memory of 2100	1652	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe	37
PID 1652 wrote to memory of 2100	1652	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe	37
PID 1652 wrote to memory of 2100	1652	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe	37
PID 2100 wrote to memory of 2724	2100	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe	38
PID 2100 wrote to memory of 2724	2100	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe	38
PID 2100 wrote to memory of 2724	2100	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe	38
PID 2100 wrote to memory of 2724	2100	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe	38
PID 2724 wrote to memory of 588	2724	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe	39
PID 2724 wrote to memory of 588	2724	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe	39
PID 2724 wrote to memory of 588	2724	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe	39
PID 2724 wrote to memory of 588	2724	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe	39
PID 588 wrote to memory of 632	588	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe	40
PID 588 wrote to memory of 632	588	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe	40
PID 588 wrote to memory of 632	588	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe	40
PID 588 wrote to memory of 632	588	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe	40
PID 632 wrote to memory of 1248	632	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe	41
PID 632 wrote to memory of 1248	632	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe	41
PID 632 wrote to memory of 1248	632	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe	41
PID 632 wrote to memory of 1248	632	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe	41
PID 1248 wrote to memory of 2148	1248	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe	42
PID 1248 wrote to memory of 2148	1248	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe	42
PID 1248 wrote to memory of 2148	1248	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe	42
PID 1248 wrote to memory of 2148	1248	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe	42
PID 2148 wrote to memory of 2176	2148	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe	43
PID 2148 wrote to memory of 2176	2148	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe	43
PID 2148 wrote to memory of 2176	2148	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe	43
PID 2148 wrote to memory of 2176	2148	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe	43
PID 2176 wrote to memory of 1556	2176	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe	44
PID 2176 wrote to memory of 1556	2176	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe	44
PID 2176 wrote to memory of 1556	2176	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe	44
PID 2176 wrote to memory of 1556	2176	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe	44
PID 1556 wrote to memory of 2404	1556	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe	45
PID 1556 wrote to memory of 2404	1556	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe	45
PID 1556 wrote to memory of 2404	1556	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe	45
PID 1556 wrote to memory of 2404	1556	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe	45

C:\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708
- \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe
  c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2624
- - \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe
    c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe
      c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2312
    - - \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:572
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:320
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202y.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202y.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe

Filesize
321KB

MD5
52951d8960a4a649f55637f33b7664f4

SHA1
e3d00fd98eb5d76e5c7dfea6426472032edc9643

SHA256
33c9bc3731ef81c593e39acc843952215f8615b07a909d31b95f7c6a7f6adef5

SHA512
cd1877f5ad7307388485d89d36dc3bda567604d9eeeb4ff3760705108c91653dbb9d840790d1302f84eb6164eef6fc4c3a3894a41ee40ebbc0c6ddb0a104301d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe

Filesize
322KB

MD5
fda1bfd2416036f7c217ebd0ffbfdf3e

SHA1
f642fad990b901871a23b5806cfe6b8b65a58523

SHA256
2a246c8ebdab77f91161a7389085e6594c0171992d610e8fc2276be01389e8bc

SHA512
4851c7f64f0639a901032890343d8775bbda920e8840eab7319c780180839157870120653cc1a55d15a61d1b16a5e81a9c48c0517cd8e1e6b9aa4d65bf13193c

Download Submit
\??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe

Filesize
322KB

MD5
d0f46f565159e17e4786b490ff11e1cb

SHA1
459032cd86052f4e98073fda1c26063cf3b43cdc

SHA256
b4ae0d77a15da3d5f6e4e967f90a159b4b04f60071c7c6a039a43e135596ca7f

SHA512
e577e3482a014785a5fcdd6b452187c0a189218162dd8f356cbe93af1f65a806da3483f9c43985b244cb092703ee2a66ba69b76b4bee3a411cbd91e7fc2c916d

Download Submit
\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe

Filesize
321KB

MD5
b9040ad86bfd32a0e920e1d58778cd82

SHA1
2e3da7f656cb95b258c1dfdc532a923e9717bdbf

SHA256
9972f3c0d892381be335707304e9de3321ede5447aea7f808c2f4e509ce9e6c8

SHA512
3aa3eb9d35031edacf5897067d34486f60fd84fa2bcfa5cd897de71de22bf65b754901abab2df813854e34448eedca532640ec9e6abd04a8e0841e2b49a4cd88

Download Submit
\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe

Filesize
321KB

MD5
3c8d34b617c3a5533694684f389f2f93

SHA1
fe42d212b50429fde00d9cd3b90ea3b501268d06

SHA256
55618beaec9778e4a60f8a5cb5cdb724d65530e7a912f79e7a52f8371b55a9c8

SHA512
5cd6570f1379ec6efd783747738f7933887d2233bcc55326b41699092c97424185881bf0c68cc001923b7a3662edb401fced3fa0b542ac0d4d1d479b81b20ffd

Download Submit
\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe

Filesize
322KB

MD5
55f54c09c98d26e630c1e81acd43b511

SHA1
683bfc04a1d389ba43176d542fd01b5118d81b88

SHA256
94cc0cbcbe839df641513b5682ba6db032d6a7e903aa68614f6deda905c8de99

SHA512
cde82825fff6bebb5f12dd31c6ea49d1e4f0b2ec95110cda43e1119ff921e1ea03685552588cbcec8d57d990517866e62e9ea80624c26f6ea4c8784ab5eb6c7c

Download Submit
\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe

Filesize
322KB

MD5
f5aaff2ab1b2abf874a16ad38d3c243a

SHA1
eef6eb5282cc23d728a9530af3d015d006ba9f7b

SHA256
ed40510274c792f9d9afa75e99ef1d69f2e5a667c2c3530a478e418c3ed28af5

SHA512
334bd2fe0d21020753c8505ffc00d1dffd0369f5e0c08158a992219439179fe72db42ca4b2bbe4d272241afc5a7e74cf4d186b94343e1e0e1c16129b5f4ea77c

Download Submit
\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe

Filesize
322KB

MD5
8d1691e317ad63d20e63769cbf239d19

SHA1
76d5cc0d5f9ff54611930aed0aa7cc23e2866b1e

SHA256
68ef018fa3c823d9e3e659abd3c16084e92906243d7de8a79e1389ed2ae2627e

SHA512
fbc903d666c310538ca1a7274e325e006033eb054ef91cc57607703a2a702bd295b412544a76f0a5ca44ebf51d8a884dce61f30b15c9ff51de40d1655b224591

Download Submit
\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe

Filesize
323KB

MD5
7ca5a7612e8146ad8ae42d00dfb3ff5e

SHA1
064bb9f121b803630f34fe39f2524d5a210014f6

SHA256
a6babf1c70ce0ef26d634fa2f1a0ef1bd270704dc639c344b9400c711f303d75

SHA512
037b227f6a74445e4c06f64fb75a4dc30f47ffdd99c3f6abdcdc5b8ffa171848f682986567627b79df5563a56b01f9b1f2bd291ebe961d746f9639643f301748

Download Submit
\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe

Filesize
323KB

MD5
264d67e56ac863eda55ebef2ff106e11

SHA1
fc67d138ae570ddc814a748f26d6eff2f1688373

SHA256
4e986e3790ccabf22487bb78c5878d1e9a7b5376136751ced8a4d1b7c1db2063

SHA512
647a0717ebd701af86f3759219a96d4942a8b79ac29b5a1c57524b3d4f511b4112ad4cadb77b6b3f7cfe6ce4e2951c3c993a2cfb68bc0664d4bec8f24f74a9f2

Download Submit
\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe

Filesize
323KB

MD5
893b61d0c46d0ae5bfad5cd128d765c0

SHA1
e2d9a72cd52d865bd64f21c4eaaa28d5f5c4197e

SHA256
0292bd8eca3e81008816eb5553ff59a566efbaf8a3d40b6e43069f8268986e23

SHA512
f40b58c441e64b5ca96095d8dc5d7a5f900d0ac8e54e5ac171b8a0f4ca0fc8a8919bbed638d84f88b19cca00af2daf723440553c9cabded1fe6666d46197d982

Download Submit
\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe

Filesize
323KB

MD5
a1cb8c8bae37e02376bb5cebb3905d8e

SHA1
a7786dd00983fbd3fbe0799b1cb35e9be63552b7

SHA256
59cf5ce24275a125dcd6dd0ff844ceab42da872c69b724412235855023200286

SHA512
f0b019a0d76c8b388bbe618ff8cd269fa1fe94f34688bd0021afba9e56f1b2330b5e4b837e89119a5cb662ee4246eaa0a7e6bf970bda2a835a8e9cad82657e5e

Download Submit
\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe

Filesize
324KB

MD5
02f80d2d603752296b49b23665ce029c

SHA1
32d87b5f21b6e605d779455331a5070f9b1d1dd9

SHA256
4a0fa298cd1e9298d65324c6bd82c2e3597395c93e64a3b38fdd95bff7fa670a

SHA512
1510349f1941d039d5e37c6ecb84acfdf9ab317821e59daf03932bbc23c44499d225d85230f085023fe93cb726864018f66699ab343a9c1b8fcf248eb1dc0b2d

Download Submit
\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe

Filesize
324KB

MD5
9575497c24fdddfa8a9a0308afb86c25

SHA1
942c029876346bf893ed9a7a71168900c74fbc7a

SHA256
83f251b343999d74c3109dbc55d579800bb216903b6b53bb81174f59c619feea

SHA512
d3224846e2e056b6ff77cc60101353fdd410a6a9dcc5ed12f7b9035a0d6b64dc514f1573f0a616227d1b7b2a460275f5a52cbfd7de15d345ebd84a80e318f1dd

Download Submit
\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe

Filesize
324KB

MD5
5e6d7343421d399b8c98cda22a52a121

SHA1
ca096cfbbc792e388be666e3eb6f780573bd9b33

SHA256
42b6fa5ec7dc10cd2f628c7bfecefc686d4eac750546be7d8e13a87d336437ec

SHA512
13f21474d50c90db7e86f7e45b773531640ed4b380cc974e560fe5425cb2bedc3de54013f25659b3f24da42a2119610122c37092e54dfce121f3c14d1f51e386

Download Submit
\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe

Filesize
324KB

MD5
fbc58026d44c62323426066a6d31e8bb

SHA1
abc53f8a1b1898928dddb578b5d979dad5c15cd1

SHA256
28d707a8cc29de4ab4217aee814f7d6b604ad54c76b7ffab1f7bd3f099af91d9

SHA512
d371c4fc23a5d9fc578abc53206ab6a8c3510cad1763c93b852aaecdb67c5bfdcdf4902510525566de56a1b906319af1ff0ef0edc3e3e9c346fd3bd8ecc3dbed

Download Submit
memory/320-366-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/320-365-0x00000000004D0000-0x0000000000512000-memory.dmp

Filesize
264KB

Download
memory/572-294-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/588-171-0x0000000000370000-0x00000000003B2000-memory.dmp

Filesize
264KB

Download
memory/588-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/632-193-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1248-194-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1248-209-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1540-282-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1540-342-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1540-283-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1540-271-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1556-249-0x00000000004D0000-0x0000000000512000-memory.dmp

Filesize
264KB

Download
memory/1556-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1652-114-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1652-130-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1652-126-0x0000000001DB0000-0x0000000001DF2000-memory.dmp

Filesize
264KB

Download
memory/1856-318-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1856-319-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/1928-343-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2100-146-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2100-138-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2100-144-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2132-354-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-353-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/2136-97-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2136-95-0x0000000002660000-0x00000000026A2000-memory.dmp

Filesize
264KB

Download
memory/2136-94-0x0000000002660000-0x00000000026A2000-memory.dmp

Filesize
264KB

Download
memory/2148-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2176-225-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2176-239-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/2176-246-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2304-295-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2304-308-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2304-306-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/2304-305-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/2312-46-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2312-56-0x0000000001D30000-0x0000000001D72000-memory.dmp

Filesize
264KB

Download
memory/2312-62-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2404-270-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2404-268-0x00000000005E0000-0x0000000000622000-memory.dmp

Filesize
264KB

Download
memory/2404-267-0x00000000005E0000-0x0000000000622000-memory.dmp

Filesize
264KB

Download
memory/2428-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2524-76-0x0000000001D70000-0x0000000001DB2000-memory.dmp

Filesize
264KB

Download
memory/2524-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2524-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2524-77-0x0000000001D70000-0x0000000001DB2000-memory.dmp

Filesize
264KB

Download
memory/2624-377-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2624-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2624-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2648-44-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2648-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2648-39-0x0000000001CB0000-0x0000000001CF2000-memory.dmp

Filesize
264KB

Download
memory/2700-379-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2724-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2724-160-0x0000000001C40000-0x0000000001C82000-memory.dmp

Filesize
264KB

Download
memory/3024-330-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3024-331-0x0000000001D00000-0x0000000001D42000-memory.dmp

Filesize
264KB

Download
memory/3024-325-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe\""	0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202y.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads