9ba560fb26213c307fe1940e9918e0a57d160122c0e4e1531bf4a8f5392bc5ed

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 14:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
Size

366KB
MD5

f002bf28f8af3bd6ca14f25f002b5b5a
SHA1

b626e1e77bc2d474a63e3f1873e0ded2d5f07b24
SHA256

9ba560fb26213c307fe1940e9918e0a57d160122c0e4e1531bf4a8f5392bc5ed
SHA512

ceaf4816c2a11fad031c83e8c003e6dc7f6cf855d0f94c9940bb9c0f7ed2f55b830a3833f4eaf75830d8cdc70f95f60637c68027cf68014e6320949a5d2670e6
SSDEEP

6144:YCZ/3sHw0Ecywu3fY+0APPTybbasvDIepNMSqZxXXeWm60yDOrOY+Hk:YMUHTyHrPPTybb5vDFFq8uLk

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Deletes itself 1 IoCs

pid	Process
1252	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2232	Logo1_.exe
2892	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1252	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\uninstall\rundl132.exe	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
File created	C:\Windows\Logo1_.exe	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
File opened for modification	C:\Windows\uninstall\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1904	2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe	30
PID 2124 wrote to memory of 1904	2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe	30
PID 2124 wrote to memory of 1904	2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe	30
PID 2124 wrote to memory of 1904	2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe	30
PID 1904 wrote to memory of 2532	1904	net.exe	32
PID 1904 wrote to memory of 2532	1904	net.exe	32
PID 1904 wrote to memory of 2532	1904	net.exe	32
PID 1904 wrote to memory of 2532	1904	net.exe	32
PID 2124 wrote to memory of 1252	2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe	33
PID 2124 wrote to memory of 1252	2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe	33
PID 2124 wrote to memory of 1252	2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe	33
PID 2124 wrote to memory of 1252	2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe	33
PID 2124 wrote to memory of 2232	2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe	35
PID 2124 wrote to memory of 2232	2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe	35
PID 2124 wrote to memory of 2232	2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe	35
PID 2124 wrote to memory of 2232	2124	f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe	35
PID 2232 wrote to memory of 2184	2232	Logo1_.exe	36
PID 2232 wrote to memory of 2184	2232	Logo1_.exe	36
PID 2232 wrote to memory of 2184	2232	Logo1_.exe	36
PID 2232 wrote to memory of 2184	2232	Logo1_.exe	36
PID 2184 wrote to memory of 2880	2184	net.exe	38
PID 2184 wrote to memory of 2880	2184	net.exe	38
PID 2184 wrote to memory of 2880	2184	net.exe	38
PID 2184 wrote to memory of 2880	2184	net.exe	38
PID 1252 wrote to memory of 2892	1252	cmd.exe	39
PID 1252 wrote to memory of 2892	1252	cmd.exe	39
PID 1252 wrote to memory of 2892	1252	cmd.exe	39
PID 1252 wrote to memory of 2892	1252	cmd.exe	39
PID 2232 wrote to memory of 2592	2232	Logo1_.exe	40
PID 2232 wrote to memory of 2592	2232	Logo1_.exe	40
PID 2232 wrote to memory of 2592	2232	Logo1_.exe	40
PID 2232 wrote to memory of 2592	2232	Logo1_.exe	40
PID 2592 wrote to memory of 2868	2592	net.exe	42
PID 2592 wrote to memory of 2868	2592	net.exe	42
PID 2592 wrote to memory of 2868	2592	net.exe	42
PID 2592 wrote to memory of 2868	2592	net.exe	42
PID 2232 wrote to memory of 1196	2232	Logo1_.exe	21
PID 2232 wrote to memory of 1196	2232	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA68C.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Users\Admin\AppData\Local\Temp\f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2892
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aA68C.bat

Filesize
614B

MD5
c59e8ee06d325b4dac67fa2a5db062a5

SHA1
1e6dd39cac4c6a50070d615864a3682612885901

SHA256
d15d55359a92d345b3c1d3b5dea73273922bcbb23ba25edc2b4760263b1480af

SHA512
329d98d4df4bfe3008133f5e58d264957ea799d07b41aa493cfb5bae4d535dcdf833dcede02d3ec0677512084c05216343b7d1f30635bcc1e7be4782e5683606

Download Submit
C:\Users\Admin\AppData\Local\Temp\f002bf28f8af3bd6ca14f25f002b5b5a_JaffaCakes118.exe

Filesize
278KB

MD5
7b883fbf12d8febcaa3e94c7c421d7ae

SHA1
321eaa1df78ba1ad4ede806d5d8b170938aa5155

SHA256
c85520acd0cec077b187a3622ce5e6dc873eb00aacd915ef059970320a3967b3

SHA512
e488ef52a654a6bf84d7639e9c51f64bb932cca99ca3f62c2080ddb20d9e65d6e4d1895123590a175a8880f615a42051ae705f97963e75d405614eeda049694a

Download Submit
C:\Windows\Logo1_.exe

Filesize
88KB

MD5
d9e5d5d18508aa5c50bb62a9b235ab0b

SHA1
865e38d294a107fa5171b75354863989e19c5671

SHA256
c44e647431b9e3cb95532be8865d873850821664daa8500e1458ebf013bf3d05

SHA512
ae40f879d2dbb86af612f6df6cb14321091078edbed61aeaeef0067915fcee40dd33eb8b4836a3948823c6b7a7a04aa890605f147853ea7730d4af1625ae7e3d

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
832B

MD5
7e3a0edd0c6cd8316f4b6c159d5167a1

SHA1
753428b4736ffb2c9e3eb50f89255b212768c55a

SHA256
1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

SHA512
9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\_desktop.ini

Filesize
9B

MD5
5412111268dd2c1fb1cf8697bfab9b6c

SHA1
16d0b289e83c74cb50a004edd7c5750ac706f321

SHA256
f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

SHA512
13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

Download Submit
memory/1196-26-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/2124-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2232-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2232-2959-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2232-4147-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download