Overview

overview

10

Static

static

3

a02b961480...18.exe

windows7-x64

10

a02b961480...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2024, 05:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe

  • Size

    252KB

  • MD5

    a02b961480e8b7fc9313c6e2ae480442

  • SHA1

    fa6243f289015a1a78a5fd28f3eba56d07c33f6b

  • SHA256

    be090c085eab0d51085dbb9f2db28a5f117351ebb980b372efc2ce2cf419b120

  • SHA512

    c721a7eb719be9b57716f9ab739a65cf89bf88db2681964017a41c84fc734954b1d87b30881631f355f82c2dab1dff3d209d078e490960dc0e1691c6d1505792

  • SSDEEP

    6144:b1Wj/JCXHjMc5qKeMuFFKN0jb2ZlhdBJVjY/eRUExoJyOYHB7qY8zIK0GznuAXyk:pWj

Score
10/10
andromedabackdoorbotnetdiscoverypersistence

Malware Config

Signatures

  • Andromeda family
    andromeda
  • Andromeda, Gamarue

    Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.

    botnetbackdoorandromeda
  • Detects Andromeda payload. 4 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 29 IoCs
  • Maps connected drives based on registry 3 TTPs 58 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 58 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: MapViewOfSection 58 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
      "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
      2⤵
      • Executes dropped EXE
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4340
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\syswow64\svchost.exe
        3⤵
        • Adds policy Run key to start application
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        PID:4088
    • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5004
    • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
      "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
      2⤵
      • Executes dropped EXE
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3280
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\syswow64\svchost.exe
        3⤵
          PID:2692
      • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4968
      • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
        "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
        2⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\syswow64\svchost.exe
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3876
      • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:3088
      • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
        "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
        2⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:4924
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\syswow64\svchost.exe
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4168
      • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:972
      • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
        "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
        2⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:4200
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\syswow64\svchost.exe
          3⤵
            PID:4812
        • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:3132
        • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
          "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
          2⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:1992
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\syswow64\svchost.exe
            3⤵
            • System Location Discovery: System Language Discovery
            PID:3192
        • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3788
        • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
          "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
          2⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:2084
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\syswow64\svchost.exe
            3⤵
              PID:3940
          • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
            2⤵
            • Suspicious use of SetWindowsHookEx
            PID:4152
          • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
            "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
            2⤵
            • Executes dropped EXE
            • Maps connected drives based on registry
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:1844
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\syswow64\svchost.exe
              3⤵
              • System Location Discovery: System Language Discovery
              PID:4476
          • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4104
          • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
            "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
            2⤵
            • Executes dropped EXE
            • Maps connected drives based on registry
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:1616
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\syswow64\svchost.exe
              3⤵
              • System Location Discovery: System Language Discovery
              PID:4128
          • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
            2⤵
            • Suspicious use of SetWindowsHookEx
            PID:8
          • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
            "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
            2⤵
            • Executes dropped EXE
            • Maps connected drives based on registry
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:2868
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\syswow64\svchost.exe
              3⤵
              • System Location Discovery: System Language Discovery
              PID:2180
          • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:716
          • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
            "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
            2⤵
            • Executes dropped EXE
            • Maps connected drives based on registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:3764
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\syswow64\svchost.exe
              3⤵
                PID:1348
            • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
              2⤵
              • Suspicious use of SetWindowsHookEx
              PID:4452
            • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
              "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
              2⤵
              • Executes dropped EXE
              • Maps connected drives based on registry
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:3316
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\syswow64\svchost.exe
                3⤵
                • System Location Discovery: System Language Discovery
                PID:232
            • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
              2⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2076
            • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
              "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
              2⤵
              • Executes dropped EXE
              • Maps connected drives based on registry
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:1356
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\syswow64\svchost.exe
                3⤵
                • System Location Discovery: System Language Discovery
                PID:3684
            • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
              2⤵
              • Suspicious use of SetWindowsHookEx
              PID:3808
            • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
              "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
              2⤵
              • Executes dropped EXE
              • Maps connected drives based on registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:3172
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\syswow64\svchost.exe
                3⤵
                • System Location Discovery: System Language Discovery
                PID:1636
            • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
              2⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4808
            • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
              "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
              2⤵
              • Executes dropped EXE
              • Maps connected drives based on registry
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:1764
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\syswow64\svchost.exe
                3⤵
                • System Location Discovery: System Language Discovery
                PID:2176
            • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
              2⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3608
            • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
              "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
              2⤵
              • Executes dropped EXE
              • Maps connected drives based on registry
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:3016
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\syswow64\svchost.exe
                3⤵
                • System Location Discovery: System Language Discovery
                PID:1732
            • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
              2⤵
              • Suspicious use of SetWindowsHookEx
              PID:2580
            • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
              "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
              2⤵
              • Executes dropped EXE
              • Maps connected drives based on registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:4480
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\syswow64\svchost.exe
                3⤵
                • System Location Discovery: System Language Discovery
                PID:2372
            • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
              2⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3204
            • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
              "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
              2⤵
              • Executes dropped EXE
              • Maps connected drives based on registry
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:448
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\syswow64\svchost.exe
                3⤵
                • System Location Discovery: System Language Discovery
                PID:1244
            • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
              2⤵
              • Suspicious use of SetWindowsHookEx
              PID:224
            • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
              "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
              2⤵
              • Executes dropped EXE
              • Maps connected drives based on registry
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:2672
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\syswow64\svchost.exe
                3⤵
                • System Location Discovery: System Language Discovery
                PID:4240
            • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
              2⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:112
            • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
              "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
              2⤵
              • Executes dropped EXE
              • Maps connected drives based on registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:2708
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\syswow64\svchost.exe
                3⤵
                • System Location Discovery: System Language Discovery
                PID:4936
            • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
              2⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:5100
            • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
              "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
              2⤵
              • Executes dropped EXE
              • Maps connected drives based on registry
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:3460
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\syswow64\svchost.exe
                3⤵
                • System Location Discovery: System Language Discovery
                PID:1864
            • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
              2⤵
              • Suspicious use of SetWindowsHookEx
              PID:3832
            • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
              "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
              2⤵
              • Executes dropped EXE
              • Maps connected drives based on registry
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:2120
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\syswow64\svchost.exe
                3⤵
                  PID:4892
              • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
                "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
                2⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4348
              • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
                "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
                2⤵
                • Executes dropped EXE
                • Maps connected drives based on registry
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                PID:852
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\syswow64\svchost.exe
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:1588
              • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
                "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
                2⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4592
              • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
                "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
                2⤵
                • Executes dropped EXE
                • Maps connected drives based on registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                PID:1572
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\syswow64\svchost.exe
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:4860
              • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
                "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
                2⤵
                • Suspicious use of SetWindowsHookEx
                PID:5032
              • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
                "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
                2⤵
                • Executes dropped EXE
                • Maps connected drives based on registry
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                PID:808
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\syswow64\svchost.exe
                  3⤵
                    PID:4020
                • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
                  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:2336
                • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
                  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
                  2⤵
                  • Executes dropped EXE
                  • Maps connected drives based on registry
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  PID:4216
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\syswow64\svchost.exe
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:1524
                • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
                  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:5048
                • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
                  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
                  2⤵
                  • Executes dropped EXE
                  • Maps connected drives based on registry
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  PID:4280
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\syswow64\svchost.exe
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:4092
                • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
                  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:3508
                • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
                  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
                  2⤵
                  • Executes dropped EXE
                  • Maps connected drives based on registry
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  PID:4920
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\syswow64\svchost.exe
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:452
                • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
                  "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:1700
                • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
                  "C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"
                  2⤵
                  • Executes dropped EXE
                  • Maps connected drives based on registry
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  PID:384
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\syswow64\svchost.exe
                    3⤵
                      PID:916
                  • C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
                    "C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"
                    2⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:3492

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\49662594\49662594.exe
                  Filesize

                  252KB

                  MD5

                  a02b961480e8b7fc9313c6e2ae480442

                  SHA1

                  fa6243f289015a1a78a5fd28f3eba56d07c33f6b

                  SHA256

                  be090c085eab0d51085dbb9f2db28a5f117351ebb980b372efc2ce2cf419b120

                  SHA512

                  c721a7eb719be9b57716f9ab739a65cf89bf88db2681964017a41c84fc734954b1d87b30881631f355f82c2dab1dff3d209d078e490960dc0e1691c6d1505792

                  Download Submit

                • memory/972-81-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                  Download

                • memory/2692-37-0x00000000006C0000-0x00000000006CE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/2692-39-0x0000000001080000-0x0000000001085000-memory.dmp

                  Filesize

                  20KB

                  Download

                • memory/2692-35-0x00000000006C0000-0x00000000006CE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/2692-46-0x0000000001080000-0x0000000001085000-memory.dmp

                  Filesize

                  20KB

                  Download

                • memory/3088-63-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                  Download

                • memory/3132-101-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                  Download

                • memory/3876-60-0x00000000006C0000-0x00000000006CE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/3876-61-0x00000000006C0000-0x00000000006CE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/4088-13-0x00000000006C0000-0x00000000006CE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/4088-15-0x00000000006C0000-0x00000000006CE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/4088-18-0x0000000000BD0000-0x0000000000BD5000-memory.dmp

                  Filesize

                  20KB

                  Download

                • memory/4088-22-0x0000000000BD0000-0x0000000000BD5000-memory.dmp

                  Filesize

                  20KB

                  Download

                • memory/4168-79-0x00000000006C0000-0x00000000006CE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/4168-78-0x00000000006C0000-0x00000000006CE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/4340-4-0x0000000000400000-0x0000000000405000-memory.dmp

                  Filesize

                  20KB

                  Download

                • memory/4812-99-0x00000000006C0000-0x00000000006CE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/4812-98-0x00000000006C0000-0x00000000006CE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/4968-41-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                  Download

                • memory/5004-48-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                  Download

                • memory/5004-30-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                  Download

                • memory/5004-7-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                  Download

                • memory/5004-9-0x0000000000400000-0x0000000000435000-memory.dmp

                  Filesize

                  212KB

                  Download