9fa50d12297d7579185e71979e238308b3dfe9cd698ab6ee7b5fad823aa7e7f1

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 20:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a82b32821738b504f4165483d7eeb490_JaffaCakes118.exe
Size

232KB
MD5

a82b32821738b504f4165483d7eeb490
SHA1

e4dd76f7b45a3a45c7130a4c2fbb54e77cc4ab40
SHA256

9fa50d12297d7579185e71979e238308b3dfe9cd698ab6ee7b5fad823aa7e7f1
SHA512

39dc875bd0405b313c29963d5bc459a2f404a930ef072bbe3fce4b07d1bfd93a7fd2c540d5ff67eb9be37da20c2bdfbf005a47aa572161dff732af2ec82c2a92
SSDEEP

6144:9hbZ5hMTNFf8LAurlEzAX7o5hn8wVSZ2sXx6:vtXMzqrllX7618wN

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 25 IoCs

pid	Process
1756	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202.exe
2968	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202a.exe
2716	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202b.exe
2984	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202c.exe
2960	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202d.exe
2608	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202e.exe
2660	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202f.exe
1100	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202g.exe
1952	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202h.exe
1716	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202i.exe
1700	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202j.exe
1076	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202k.exe
2440	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202l.exe
2704	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202m.exe
788	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202n.exe
700	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202o.exe
1788	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202p.exe
812	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202q.exe
1364	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202r.exe
2488	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202s.exe
2416	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202t.exe
2564	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202u.exe
1808	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202v.exe
1268	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202w.exe
3048	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202y.exe

Loads dropped DLL 50 IoCs

pid	Process
2404	a82b32821738b504f4165483d7eeb490_JaffaCakes118.exe
2404	a82b32821738b504f4165483d7eeb490_JaffaCakes118.exe
1756	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202.exe
1756	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202.exe
2968	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202a.exe
2968	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202a.exe
2716	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202b.exe
2716	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202b.exe
2984	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202c.exe
2984	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202c.exe
2960	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202d.exe
2960	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202d.exe
2608	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202e.exe
2608	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202e.exe
2660	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202f.exe
2660	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202f.exe
1100	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202g.exe
1100	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202g.exe
1952	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202h.exe
1952	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202h.exe
1716	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202i.exe
1716	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202i.exe
1700	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202j.exe
1700	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202j.exe
1076	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202k.exe
1076	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202k.exe
2440	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202l.exe
2440	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202l.exe
2704	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202m.exe
2704	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202m.exe
788	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202n.exe
788	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202n.exe
700	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202o.exe
700	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202o.exe
1788	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202p.exe
1788	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202p.exe
812	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202q.exe
812	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202q.exe
1364	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202r.exe
1364	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202r.exe
2488	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202s.exe
2488	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202s.exe
2416	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202t.exe
2416	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202t.exe
2564	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202u.exe
2564	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202u.exe
1808	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202v.exe
1808	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202v.exe
1572	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202x.exe
1572	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202x.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202u.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202j.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202k.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202h.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e01e69c758354f51	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 6b5542522ae49479	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202w.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1756	2404	a82b32821738b504f4165483d7eeb490_JaffaCakes118.exe	30
PID 2404 wrote to memory of 1756	2404	a82b32821738b504f4165483d7eeb490_JaffaCakes118.exe	30
PID 2404 wrote to memory of 1756	2404	a82b32821738b504f4165483d7eeb490_JaffaCakes118.exe	30
PID 2404 wrote to memory of 1756	2404	a82b32821738b504f4165483d7eeb490_JaffaCakes118.exe	30
PID 1756 wrote to memory of 2968	1756	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202.exe	31
PID 1756 wrote to memory of 2968	1756	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202.exe	31
PID 1756 wrote to memory of 2968	1756	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202.exe	31
PID 1756 wrote to memory of 2968	1756	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202.exe	31
PID 2968 wrote to memory of 2716	2968	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202a.exe	33
PID 2968 wrote to memory of 2716	2968	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202a.exe	33
PID 2968 wrote to memory of 2716	2968	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202a.exe	33
PID 2968 wrote to memory of 2716	2968	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202a.exe	33
PID 2716 wrote to memory of 2984	2716	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202b.exe	34
PID 2716 wrote to memory of 2984	2716	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202b.exe	34
PID 2716 wrote to memory of 2984	2716	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202b.exe	34
PID 2716 wrote to memory of 2984	2716	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202b.exe	34
PID 2984 wrote to memory of 2960	2984	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202c.exe	35
PID 2984 wrote to memory of 2960	2984	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202c.exe	35
PID 2984 wrote to memory of 2960	2984	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202c.exe	35
PID 2984 wrote to memory of 2960	2984	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202c.exe	35
PID 2960 wrote to memory of 2608	2960	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202d.exe	36
PID 2960 wrote to memory of 2608	2960	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202d.exe	36
PID 2960 wrote to memory of 2608	2960	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202d.exe	36
PID 2960 wrote to memory of 2608	2960	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202d.exe	36
PID 2608 wrote to memory of 2660	2608	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202e.exe	37
PID 2608 wrote to memory of 2660	2608	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202e.exe	37
PID 2608 wrote to memory of 2660	2608	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202e.exe	37
PID 2608 wrote to memory of 2660	2608	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202e.exe	37
PID 2660 wrote to memory of 1100	2660	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202f.exe	38
PID 2660 wrote to memory of 1100	2660	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202f.exe	38
PID 2660 wrote to memory of 1100	2660	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202f.exe	38
PID 2660 wrote to memory of 1100	2660	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202f.exe	38
PID 1100 wrote to memory of 1952	1100	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202g.exe	39
PID 1100 wrote to memory of 1952	1100	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202g.exe	39
PID 1100 wrote to memory of 1952	1100	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202g.exe	39
PID 1100 wrote to memory of 1952	1100	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202g.exe	39
PID 1952 wrote to memory of 1716	1952	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202h.exe	40
PID 1952 wrote to memory of 1716	1952	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202h.exe	40
PID 1952 wrote to memory of 1716	1952	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202h.exe	40
PID 1952 wrote to memory of 1716	1952	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202h.exe	40
PID 1716 wrote to memory of 1700	1716	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202i.exe	41
PID 1716 wrote to memory of 1700	1716	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202i.exe	41
PID 1716 wrote to memory of 1700	1716	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202i.exe	41
PID 1716 wrote to memory of 1700	1716	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202i.exe	41
PID 1700 wrote to memory of 1076	1700	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202j.exe	42
PID 1700 wrote to memory of 1076	1700	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202j.exe	42
PID 1700 wrote to memory of 1076	1700	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202j.exe	42
PID 1700 wrote to memory of 1076	1700	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202j.exe	42
PID 1076 wrote to memory of 2440	1076	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202k.exe	43
PID 1076 wrote to memory of 2440	1076	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202k.exe	43
PID 1076 wrote to memory of 2440	1076	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202k.exe	43
PID 1076 wrote to memory of 2440	1076	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202k.exe	43
PID 2440 wrote to memory of 2704	2440	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202l.exe	44
PID 2440 wrote to memory of 2704	2440	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202l.exe	44
PID 2440 wrote to memory of 2704	2440	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202l.exe	44
PID 2440 wrote to memory of 2704	2440	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202l.exe	44
PID 2704 wrote to memory of 788	2704	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202m.exe	45
PID 2704 wrote to memory of 788	2704	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202m.exe	45
PID 2704 wrote to memory of 788	2704	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202m.exe	45
PID 2704 wrote to memory of 788	2704	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202m.exe	45
PID 788 wrote to memory of 700	788	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202n.exe	46
PID 788 wrote to memory of 700	788	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202n.exe	46
PID 788 wrote to memory of 700	788	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202n.exe	46
PID 788 wrote to memory of 700	788	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202n.exe	46

C:\Users\Admin\AppData\Local\Temp\a82b32821738b504f4165483d7eeb490_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a82b32821738b504f4165483d7eeb490_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404
- \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202.exe
  c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1756
- - \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202a.exe
    c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202b.exe
      c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2716
    - - \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202c.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
      - \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202d.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202e.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202f.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202g.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202h.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202i.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202j.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202k.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202l.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202m.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202n.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202o.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202p.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202q.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202r.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1364
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202s.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202t.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202u.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202v.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202w.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202x.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202x.exe
        26⤵
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        \??\c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202y.exe
        
        c:\users\admin\appdata\local\temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202y.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202.exe

Filesize
232KB

MD5
8c81e37c1e857863d3df1e4968c21219

SHA1
ac64aa9839de139a6b1e21ab52bfcef3dbce0c88

SHA256
052820a44eb43b37043f44f76926b534f8e9912bd19ecea2477fad05a46382b7

SHA512
edb49725255cf448f415f476b70f0fb36bc2f289028891cf48aeb728eb59ec9cfe49ab7b5859039aec6a34b66f3ac82694485d7bbd7e00762add3fd96c442cfa

Download Submit
\Users\Admin\AppData\Local\Temp\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202h.exe

Filesize
232KB

MD5
94201504cbb1403135879326404927c0

SHA1
9ca91d57f7c6326bebddd3260402cae77d8b56f8

SHA256
0f0704f2e63e8b800b8f8aed17fef5249b7a3532f98f04c11972f8d5442bacda

SHA512
0e49256075d6656e663d356fd826847ae96f89e5727755b1a6baeb6b91e0979a6cee9fdbb838aa3afc46c50aca464583b1dce1e1e7df47bcdf7f189c87a18983

Download Submit
memory/700-248-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/788-237-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/812-264-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/812-269-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1076-193-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1076-180-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1100-131-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1268-329-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1268-326-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1268-327-0x00000000778A0000-0x00000000779BF000-memory.dmp

Filesize
1.1MB

Download
memory/1268-328-0x00000000779C0000-0x0000000077ABA000-memory.dmp

Filesize
1000KB

Download
memory/1364-280-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1364-279-0x0000000000290000-0x00000000002CB000-memory.dmp

Filesize
236KB

Download
memory/1572-339-0x0000000000290000-0x00000000002CB000-memory.dmp

Filesize
236KB

Download
memory/1572-340-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1700-177-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/1700-179-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1716-149-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1716-164-0x0000000000530000-0x000000000056B000-memory.dmp

Filesize
236KB

Download
memory/1716-162-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1756-14-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1756-27-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1788-258-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1808-325-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1952-142-0x0000000000360000-0x000000000039B000-memory.dmp

Filesize
236KB

Download
memory/1952-133-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1952-148-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2404-13-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2404-0-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2416-305-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2416-299-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2416-303-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2440-203-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/2440-208-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2488-292-0x0000000001C00000-0x0000000001C3B000-memory.dmp

Filesize
236KB

Download
memory/2488-281-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2488-291-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2488-344-0x0000000001C00000-0x0000000001C3B000-memory.dmp

Filesize
236KB

Download
memory/2564-315-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2564-304-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2608-103-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2660-118-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2660-116-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/2704-222-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2716-58-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2716-53-0x0000000001D30000-0x0000000001D6B000-memory.dmp

Filesize
236KB

Download
memory/2960-88-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/2960-87-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2960-343-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/2968-342-0x0000000001C90000-0x0000000001CCB000-memory.dmp

Filesize
236KB

Download
memory/2968-43-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2968-42-0x0000000001C90000-0x0000000001CCB000-memory.dmp

Filesize
236KB

Download
memory/2968-29-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2984-74-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2984-61-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3048-341-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202j.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202l.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202m.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202g.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202.exe\""	a82b32821738b504f4165483d7eeb490_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202r.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202t.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202w.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202x.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202a.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202v.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202c.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202e.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202n.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202p.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202u.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202d.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202h.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202k.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202s.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202y.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202f.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202o.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202q.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202b.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a82b32821738b504f4165483d7eeb490_jaffacakes118_3202i.exe\""	a82b32821738b504f4165483d7eeb490_jaffacakes118_3202h.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads