Analysis
-
max time kernel
149s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16-08-2024 22:24
Static task
static1
Behavioral task
behavioral1
Sample
a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
-
Size
252KB
-
MD5
a02b961480e8b7fc9313c6e2ae480442
-
SHA1
fa6243f289015a1a78a5fd28f3eba56d07c33f6b
-
SHA256
be090c085eab0d51085dbb9f2db28a5f117351ebb980b372efc2ce2cf419b120
-
SHA512
c721a7eb719be9b57716f9ab739a65cf89bf88db2681964017a41c84fc734954b1d87b30881631f355f82c2dab1dff3d209d078e490960dc0e1691c6d1505792
-
SSDEEP
6144:b1Wj/JCXHjMc5qKeMuFFKN0jb2ZlhdBJVjY/eRUExoJyOYHB7qY8zIK0GznuAXyk:pWj
Malware Config
Signatures
-
Detects Andromeda payload. 2 IoCs
resource yara_rule behavioral1/memory/2416-24-0x0000000000020000-0x0000000000025000-memory.dmp family_andromeda behavioral1/memory/2416-51-0x0000000000020000-0x0000000000025000-memory.dmp family_andromeda -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\10753 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msiaxeooo.exe" svchost.exe -
Executes dropped EXE 29 IoCs
pid Process 1572 49662594.exe 3036 49662594.exe 2660 49662594.exe 2972 49662594.exe 1516 49662594.exe 600 49662594.exe 2240 49662594.exe 1196 49662594.exe 1696 49662594.exe 2648 49662594.exe 1672 49662594.exe 2732 49662594.exe 2716 49662594.exe 2792 49662594.exe 1564 49662594.exe 1760 49662594.exe 2112 49662594.exe 2164 49662594.exe 844 49662594.exe 1996 49662594.exe 2232 49662594.exe 1668 49662594.exe 2868 49662594.exe 1924 49662594.exe 2992 49662594.exe 2608 49662594.exe 2132 49662594.exe 2524 49662594.exe 1004 49662594.exe -
Loads dropped DLL 58 IoCs
pid Process 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe -
Maps connected drives based on registry 3 TTPs 58 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 49662594.exe -
Suspicious use of SetThreadContext 58 IoCs
description pid Process procid_target PID 3060 set thread context of 1572 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 30 PID 3060 set thread context of 2448 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 31 PID 3060 set thread context of 3036 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 34 PID 3060 set thread context of 2824 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 35 PID 3060 set thread context of 2660 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 37 PID 3060 set thread context of 3048 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 38 PID 3060 set thread context of 2972 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 40 PID 3060 set thread context of 2596 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 41 PID 3060 set thread context of 1516 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 43 PID 3060 set thread context of 3004 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 44 PID 3060 set thread context of 600 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 46 PID 3060 set thread context of 2888 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 47 PID 3060 set thread context of 2240 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 49 PID 3060 set thread context of 408 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 50 PID 3060 set thread context of 1196 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 52 PID 3060 set thread context of 2212 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 53 PID 3060 set thread context of 1696 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 55 PID 3060 set thread context of 612 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 56 PID 3060 set thread context of 2648 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 58 PID 3060 set thread context of 1756 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 59 PID 3060 set thread context of 1672 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 61 PID 3060 set thread context of 2852 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 62 PID 3060 set thread context of 2732 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 64 PID 3060 set thread context of 2884 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 65 PID 3060 set thread context of 2716 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 67 PID 3060 set thread context of 400 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 68 PID 3060 set thread context of 2792 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 70 PID 3060 set thread context of 1964 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 71 PID 3060 set thread context of 1564 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 73 PID 3060 set thread context of 3040 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 74 PID 3060 set thread context of 1760 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 76 PID 3060 set thread context of 2156 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 77 PID 3060 set thread context of 2112 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 79 PID 3060 set thread context of 352 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 80 PID 3060 set thread context of 2164 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 82 PID 3060 set thread context of 2404 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 83 PID 3060 set thread context of 844 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 85 PID 3060 set thread context of 784 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 86 PID 3060 set thread context of 1996 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 88 PID 3060 set thread context of 2604 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 89 PID 3060 set thread context of 2232 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 91 PID 3060 set thread context of 1600 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 92 PID 3060 set thread context of 1668 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 94 PID 3060 set thread context of 1948 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 95 PID 3060 set thread context of 2868 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 97 PID 3060 set thread context of 3056 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 98 PID 3060 set thread context of 1924 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 100 PID 3060 set thread context of 1048 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 101 PID 3060 set thread context of 2992 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 103 PID 3060 set thread context of 2844 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 104 PID 3060 set thread context of 2608 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 106 PID 3060 set thread context of 836 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 107 PID 3060 set thread context of 2132 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 109 PID 3060 set thread context of 2408 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 110 PID 3060 set thread context of 2524 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 112 PID 3060 set thread context of 2600 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 113 PID 3060 set thread context of 1004 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 115 PID 3060 set thread context of 2004 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 116 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\msiaxeooo.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 1572 49662594.exe 3036 49662594.exe 2660 49662594.exe 2972 49662594.exe 1516 49662594.exe 600 49662594.exe 2240 49662594.exe 1196 49662594.exe 1696 49662594.exe 2648 49662594.exe 1672 49662594.exe 2732 49662594.exe 2716 49662594.exe 2792 49662594.exe 1564 49662594.exe 1760 49662594.exe 2112 49662594.exe 2164 49662594.exe 844 49662594.exe 1996 49662594.exe 2232 49662594.exe 1668 49662594.exe 2868 49662594.exe 1924 49662594.exe 2992 49662594.exe 2608 49662594.exe 2132 49662594.exe 2524 49662594.exe 1004 49662594.exe -
Suspicious behavior: MapViewOfSection 58 IoCs
pid Process 1572 49662594.exe 1572 49662594.exe 3036 49662594.exe 3036 49662594.exe 2660 49662594.exe 2660 49662594.exe 2972 49662594.exe 2972 49662594.exe 1516 49662594.exe 1516 49662594.exe 600 49662594.exe 600 49662594.exe 2240 49662594.exe 2240 49662594.exe 1196 49662594.exe 1196 49662594.exe 1696 49662594.exe 1696 49662594.exe 2648 49662594.exe 2648 49662594.exe 1672 49662594.exe 1672 49662594.exe 2732 49662594.exe 2732 49662594.exe 2716 49662594.exe 2716 49662594.exe 2792 49662594.exe 2792 49662594.exe 1564 49662594.exe 1564 49662594.exe 1760 49662594.exe 1760 49662594.exe 2112 49662594.exe 2112 49662594.exe 2164 49662594.exe 2164 49662594.exe 844 49662594.exe 844 49662594.exe 1996 49662594.exe 1996 49662594.exe 2232 49662594.exe 2232 49662594.exe 1668 49662594.exe 1668 49662594.exe 2868 49662594.exe 2868 49662594.exe 1924 49662594.exe 1924 49662594.exe 2992 49662594.exe 2992 49662594.exe 2608 49662594.exe 2608 49662594.exe 2132 49662594.exe 2132 49662594.exe 2524 49662594.exe 2524 49662594.exe 1004 49662594.exe 1004 49662594.exe -
Suspicious use of SetWindowsHookEx 29 IoCs
pid Process 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 2448 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 2824 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3048 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 2596 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3004 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 2888 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 408 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 2212 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 612 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 1756 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 2852 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 2884 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 400 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 1964 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3040 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 2156 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 352 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 2404 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 784 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 1600 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 1948 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3056 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 1048 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 2844 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 836 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 2408 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 2600 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 2004 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3060 wrote to memory of 1572 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 30 PID 3060 wrote to memory of 1572 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 30 PID 3060 wrote to memory of 1572 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 30 PID 3060 wrote to memory of 1572 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 30 PID 3060 wrote to memory of 1572 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 30 PID 3060 wrote to memory of 1572 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 30 PID 3060 wrote to memory of 1572 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 30 PID 3060 wrote to memory of 2448 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 31 PID 3060 wrote to memory of 2448 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 31 PID 3060 wrote to memory of 2448 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 31 PID 3060 wrote to memory of 2448 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 31 PID 3060 wrote to memory of 2448 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 31 PID 3060 wrote to memory of 2448 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 31 PID 3060 wrote to memory of 2448 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 31 PID 3060 wrote to memory of 2448 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 31 PID 3060 wrote to memory of 2448 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 31 PID 1572 wrote to memory of 2416 1572 49662594.exe 32 PID 1572 wrote to memory of 2416 1572 49662594.exe 32 PID 1572 wrote to memory of 2416 1572 49662594.exe 32 PID 1572 wrote to memory of 2416 1572 49662594.exe 32 PID 3060 wrote to memory of 3036 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 34 PID 3060 wrote to memory of 3036 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 34 PID 3060 wrote to memory of 3036 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 34 PID 3060 wrote to memory of 3036 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 34 PID 3060 wrote to memory of 3036 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 34 PID 3060 wrote to memory of 3036 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 34 PID 3060 wrote to memory of 3036 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 34 PID 3060 wrote to memory of 2824 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 35 PID 3060 wrote to memory of 2824 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 35 PID 3060 wrote to memory of 2824 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 35 PID 3060 wrote to memory of 2824 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 35 PID 3060 wrote to memory of 2824 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 35 PID 3060 wrote to memory of 2824 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 35 PID 3060 wrote to memory of 2824 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 35 PID 3060 wrote to memory of 2824 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 35 PID 3060 wrote to memory of 2824 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 35 PID 3036 wrote to memory of 2720 3036 49662594.exe 36 PID 3036 wrote to memory of 2720 3036 49662594.exe 36 PID 3036 wrote to memory of 2720 3036 49662594.exe 36 PID 3036 wrote to memory of 2720 3036 49662594.exe 36 PID 3060 wrote to memory of 2660 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 37 PID 3060 wrote to memory of 2660 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 37 PID 3060 wrote to memory of 2660 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 37 PID 3060 wrote to memory of 2660 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 37 PID 3060 wrote to memory of 2660 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 37 PID 3060 wrote to memory of 2660 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 37 PID 3060 wrote to memory of 2660 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 37 PID 3060 wrote to memory of 3048 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 38 PID 3060 wrote to memory of 3048 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 38 PID 3060 wrote to memory of 3048 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 38 PID 3060 wrote to memory of 3048 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 38 PID 3060 wrote to memory of 3048 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 38 PID 3060 wrote to memory of 3048 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 38 PID 3060 wrote to memory of 3048 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 38 PID 3060 wrote to memory of 3048 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 38 PID 3060 wrote to memory of 3048 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 38 PID 2660 wrote to memory of 2256 2660 49662594.exe 39 PID 2660 wrote to memory of 2256 2660 49662594.exe 39 PID 2660 wrote to memory of 2256 2660 49662594.exe 39 PID 2660 wrote to memory of 2256 2660 49662594.exe 39 PID 3060 wrote to memory of 2972 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 40 PID 3060 wrote to memory of 2972 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 40 PID 3060 wrote to memory of 2972 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 40 PID 3060 wrote to memory of 2972 3060 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2416
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2448
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵PID:2720
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2824
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵PID:2256
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:3048
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2972 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵PID:1720
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2596
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1516 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:3024
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3004
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:600 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2116
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2888
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2240 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2020
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:408
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1196 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:1828
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2212
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1696 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2680
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:612
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2648 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:1244
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1756
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1672 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2356
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2732 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2764
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2716 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵PID:1608
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:400
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2792 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:1100
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:1964
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1564 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:332
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3040
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1760 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2224
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2156
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2112 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵PID:564
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:352
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2164 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:1928
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2404
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:844 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:1544
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:784
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1996 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2016
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2604
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2232 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2676
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1600
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1668 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵PID:1120
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1948
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2868 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵PID:2932
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3056
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1924 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:924
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1048
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2992 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵PID:2776
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2608 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2412
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:836
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2132 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:912
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2408
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2524 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵PID:900
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2600
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1004 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:984
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD5a02b961480e8b7fc9313c6e2ae480442
SHA1fa6243f289015a1a78a5fd28f3eba56d07c33f6b
SHA256be090c085eab0d51085dbb9f2db28a5f117351ebb980b372efc2ce2cf419b120
SHA512c721a7eb719be9b57716f9ab739a65cf89bf88db2681964017a41c84fc734954b1d87b30881631f355f82c2dab1dff3d209d078e490960dc0e1691c6d1505792