Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 06:47
Static task
static1
Behavioral task
behavioral1
Sample
d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
-
Size
173KB
-
MD5
d1233b402c1f2eb42d9114cabc620af3
-
SHA1
981ed9468d9ebca4ba046194822f87be88819bac
-
SHA256
62b98bcdf890bff37ce85ce18d8b4ac046c6a248979ef068c3298e75a48dc5ad
-
SHA512
be1586ddf658184832198e66fb2453dd3b18faa2ace6e0b82887a5bf384c632aaf7c85f53c436b1661bb86c3fa93f42226ed6512bf62a5d6d6e9277418173d25
-
SSDEEP
3072:ogO8Ng8VvnvhcZcqfVwuS1glK8CjB0jmUJXRnLuJuq77i28W:ogng8VCZ59/rKtjTUPuJPJT
Malware Config
Signatures
-
Detect XtremeRAT payload 5 IoCs
resource yara_rule behavioral1/memory/2348-5-0x0000000000C80000-0x0000000000CAA000-memory.dmp family_xtremerat behavioral1/memory/2348-6-0x0000000000C80000-0x0000000000CAA000-memory.dmp family_xtremerat behavioral1/memory/2116-11-0x0000000000C80000-0x0000000000CAA000-memory.dmp family_xtremerat behavioral1/memory/2348-28-0x0000000000C80000-0x0000000000CAA000-memory.dmp family_xtremerat behavioral1/memory/1980-267-0x0000000000C80000-0x0000000000CAA000-memory.dmp family_xtremerat -
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 1 IoCs
resource yara_rule behavioral1/files/0x0009000000015d59-15.dat family_isrstealer -
Isrstealer family
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 40 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe -
Executes dropped EXE 55 IoCs
pid Process 2788 491Servidor xD.exe 2396 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2924 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 980 491Servidor xD.exe 2720 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 752 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2556 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1412 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2536 491Servidor xD.exe 600 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1276 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1908 491Servidor xD.exe 1872 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 940 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1536 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2380 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2332 491Servidor xD.exe 2864 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2568 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2940 491Servidor xD.exe 1256 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2660 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2728 491Servidor xD.exe 2020 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2008 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2788 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1540 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 976 491Servidor xD.exe 708 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 836 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1700 491Servidor xD.exe 1228 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2640 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2856 491Servidor xD.exe 2372 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2260 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 896 491Servidor xD.exe 2772 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1980 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2396 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1732 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2300 491Servidor xD.exe 2964 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1752 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1396 491Servidor xD.exe 2284 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2104 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2624 491Servidor xD.exe 1640 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1716 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1612 491Servidor xD.exe 796 491Servidor xD.exe 2232 491Servidor xD.exe 2684 491Servidor xD.exe 2972 491Servidor xD.exe -
Loads dropped DLL 64 IoCs
pid Process 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2396 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2924 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2924 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2924 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2720 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2116 svchost.exe 2116 svchost.exe 2556 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 752 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 752 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 752 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 600 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1412 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1412 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1412 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1872 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2116 svchost.exe 2116 svchost.exe 1536 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1276 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1276 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1276 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2864 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 940 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 940 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 940 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1256 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2380 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2380 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2380 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2020 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2116 svchost.exe 2116 svchost.exe 2788 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2568 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2568 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2568 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 708 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2660 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2660 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2660 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1228 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2008 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2008 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2008 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2372 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1540 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1540 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1540 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2772 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2116 svchost.exe 2116 svchost.exe 2396 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 836 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 836 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 836 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2964 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2640 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2640 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2640 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2284 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 40 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe" d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe -
Suspicious use of SetThreadContext 19 IoCs
description pid Process procid_target PID 2344 set thread context of 2348 2344 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 30 PID 2396 set thread context of 2924 2396 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 42 PID 2720 set thread context of 752 2720 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 54 PID 2556 set thread context of 1412 2556 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 57 PID 600 set thread context of 1276 600 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 75 PID 1872 set thread context of 940 1872 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 80 PID 1536 set thread context of 2380 1536 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 84 PID 2864 set thread context of 2568 2864 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 105 PID 1256 set thread context of 2660 1256 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 111 PID 2020 set thread context of 2008 2020 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 117 PID 2788 set thread context of 1540 2788 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 120 PID 708 set thread context of 836 708 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 146 PID 1228 set thread context of 2640 1228 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 154 PID 2372 set thread context of 2260 2372 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 160 PID 2772 set thread context of 1980 2772 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 167 PID 2396 set thread context of 1732 2396 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 171 PID 2964 set thread context of 1752 2964 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 201 PID 2284 set thread context of 2104 2284 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 209 PID 1640 set thread context of 1716 1640 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 215 -
resource yara_rule behavioral1/memory/2348-4-0x0000000000C80000-0x0000000000CAA000-memory.dmp upx behavioral1/memory/2348-5-0x0000000000C80000-0x0000000000CAA000-memory.dmp upx behavioral1/memory/2348-6-0x0000000000C80000-0x0000000000CAA000-memory.dmp upx behavioral1/memory/2348-2-0x0000000000C80000-0x0000000000CAA000-memory.dmp upx behavioral1/memory/2116-11-0x0000000000C80000-0x0000000000CAA000-memory.dmp upx behavioral1/memory/2348-28-0x0000000000C80000-0x0000000000CAA000-memory.dmp upx behavioral1/memory/1980-267-0x0000000000C80000-0x0000000000CAA000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 58 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 491Servidor xD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2788 491Servidor xD.exe 2788 491Servidor xD.exe 2788 491Servidor xD.exe 2788 491Servidor xD.exe 980 491Servidor xD.exe 980 491Servidor xD.exe 980 491Servidor xD.exe 980 491Servidor xD.exe 2536 491Servidor xD.exe 2536 491Servidor xD.exe 2536 491Servidor xD.exe 2536 491Servidor xD.exe 1908 491Servidor xD.exe 1908 491Servidor xD.exe 1908 491Servidor xD.exe 1908 491Servidor xD.exe 2332 491Servidor xD.exe 2332 491Servidor xD.exe 2332 491Servidor xD.exe 2332 491Servidor xD.exe 2940 491Servidor xD.exe 2940 491Servidor xD.exe 2940 491Servidor xD.exe 2940 491Servidor xD.exe 2728 491Servidor xD.exe 2728 491Servidor xD.exe 2728 491Servidor xD.exe 2728 491Servidor xD.exe 976 491Servidor xD.exe 976 491Servidor xD.exe 976 491Servidor xD.exe 976 491Servidor xD.exe 1700 491Servidor xD.exe 1700 491Servidor xD.exe 1700 491Servidor xD.exe 1700 491Servidor xD.exe 2856 491Servidor xD.exe 2856 491Servidor xD.exe 2856 491Servidor xD.exe 2856 491Servidor xD.exe 896 491Servidor xD.exe 896 491Servidor xD.exe 896 491Servidor xD.exe 896 491Servidor xD.exe 2300 491Servidor xD.exe 2300 491Servidor xD.exe 2300 491Servidor xD.exe 2300 491Servidor xD.exe 1396 491Servidor xD.exe 1396 491Servidor xD.exe 1396 491Servidor xD.exe 1396 491Servidor xD.exe 2624 491Servidor xD.exe 2624 491Servidor xD.exe 2624 491Servidor xD.exe 2624 491Servidor xD.exe 1612 491Servidor xD.exe 1612 491Servidor xD.exe 1612 491Servidor xD.exe 1612 491Servidor xD.exe 796 491Servidor xD.exe 796 491Servidor xD.exe 796 491Servidor xD.exe 796 491Servidor xD.exe -
Suspicious use of SetWindowsHookEx 39 IoCs
pid Process 2344 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2788 491Servidor xD.exe 2396 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 980 491Servidor xD.exe 2720 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2556 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2536 491Servidor xD.exe 600 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1908 491Servidor xD.exe 1872 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1536 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2332 491Servidor xD.exe 2864 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2940 491Servidor xD.exe 1256 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2728 491Servidor xD.exe 2020 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2788 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 976 491Servidor xD.exe 708 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1700 491Servidor xD.exe 1228 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2856 491Servidor xD.exe 2372 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 896 491Servidor xD.exe 2772 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2396 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2300 491Servidor xD.exe 2964 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1396 491Servidor xD.exe 2284 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 2624 491Servidor xD.exe 1640 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 1612 491Servidor xD.exe 796 491Servidor xD.exe 2232 491Servidor xD.exe 2684 491Servidor xD.exe 2972 491Servidor xD.exe 1980 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2348 2344 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 30 PID 2344 wrote to memory of 2348 2344 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 30 PID 2344 wrote to memory of 2348 2344 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 30 PID 2344 wrote to memory of 2348 2344 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 30 PID 2344 wrote to memory of 2348 2344 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 30 PID 2344 wrote to memory of 2348 2344 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 30 PID 2344 wrote to memory of 2348 2344 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 30 PID 2344 wrote to memory of 2348 2344 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 30 PID 2344 wrote to memory of 2348 2344 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 30 PID 2348 wrote to memory of 2116 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 31 PID 2348 wrote to memory of 2116 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 31 PID 2348 wrote to memory of 2116 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 31 PID 2348 wrote to memory of 2116 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 31 PID 2348 wrote to memory of 2116 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 31 PID 2348 wrote to memory of 2576 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 32 PID 2348 wrote to memory of 2576 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 32 PID 2348 wrote to memory of 2576 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 32 PID 2348 wrote to memory of 2576 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 32 PID 2348 wrote to memory of 2576 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 32 PID 2348 wrote to memory of 2568 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 33 PID 2348 wrote to memory of 2568 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 33 PID 2348 wrote to memory of 2568 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 33 PID 2348 wrote to memory of 2568 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 33 PID 2348 wrote to memory of 2568 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 33 PID 2348 wrote to memory of 1892 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 34 PID 2348 wrote to memory of 1892 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 34 PID 2348 wrote to memory of 1892 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 34 PID 2348 wrote to memory of 1892 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 34 PID 2348 wrote to memory of 1892 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 34 PID 2348 wrote to memory of 2936 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 35 PID 2348 wrote to memory of 2936 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 35 PID 2348 wrote to memory of 2936 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 35 PID 2348 wrote to memory of 2936 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 35 PID 2348 wrote to memory of 2936 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 35 PID 2348 wrote to memory of 908 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 36 PID 2348 wrote to memory of 908 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 36 PID 2348 wrote to memory of 908 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 36 PID 2348 wrote to memory of 908 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 36 PID 2348 wrote to memory of 908 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 36 PID 2348 wrote to memory of 2752 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 37 PID 2348 wrote to memory of 2752 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 37 PID 2348 wrote to memory of 2752 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 37 PID 2348 wrote to memory of 2752 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 37 PID 2348 wrote to memory of 2752 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 37 PID 2348 wrote to memory of 2300 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 38 PID 2348 wrote to memory of 2300 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 38 PID 2348 wrote to memory of 2300 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 38 PID 2348 wrote to memory of 2300 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 38 PID 2348 wrote to memory of 2300 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 38 PID 2348 wrote to memory of 2464 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 39 PID 2348 wrote to memory of 2464 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 39 PID 2348 wrote to memory of 2464 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 39 PID 2348 wrote to memory of 2464 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 39 PID 2348 wrote to memory of 2788 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 40 PID 2348 wrote to memory of 2788 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 40 PID 2348 wrote to memory of 2788 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 40 PID 2348 wrote to memory of 2788 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 40 PID 2348 wrote to memory of 2396 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 41 PID 2348 wrote to memory of 2396 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 41 PID 2348 wrote to memory of 2396 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 41 PID 2348 wrote to memory of 2396 2348 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 41 PID 2396 wrote to memory of 2924 2396 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 42 PID 2396 wrote to memory of 2924 2396 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 42 PID 2396 wrote to memory of 2924 2396 d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1412 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:836
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1784
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2964
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2700
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2276
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2248
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2356
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1428
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1908
-
-
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:940 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1000
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2324
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1980
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3060
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1808
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1496
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2080
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2396
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1104
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1552
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2992
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:644
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1436
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2628
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1500
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1700
-
-
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2768
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2432
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:1528
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2176
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2588
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:1984
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2788
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2808
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:1820
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1396
-
-
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe13⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:1500
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:2560
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:1012
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2972
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3052
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:880
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1680
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1452
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2100
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2588
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2076
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2504
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2728
-
-
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2816
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:108
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2024
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1072
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2264
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:944
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3028
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:844
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2856
-
-
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2840
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2148
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3056
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2132
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:620
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2460
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2776
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2824
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2624
-
-
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:1776
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2684
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2756
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1064
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1560
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2748
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1464
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1352
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2316
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2272
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2576
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:896
-
-
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1980 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:940
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2308
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2712
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2020
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:948
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2332
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:708
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2816
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1072
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1612
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2452
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1680
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:400
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2784
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2592
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2448
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2792
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2264
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:796
-
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2576
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2568
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1892
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2936
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:908
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2752
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2300
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2464
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2788
-
-
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2832
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2708
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2716
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2660
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2656
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2204
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2712
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2148
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:980
-
-
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:752 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1436
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1560
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1072
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2836
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2748
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2264
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2168
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1740
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2536
-
-
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:600 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1916
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2584
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:888
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1988
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2372
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2140
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1532
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2092
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2332
-
-
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2900
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2924
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1868
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1192
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:332
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2836
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2448
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1544
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:976
-
-
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:708 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:836 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2356
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1492
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:848
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1148
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1304
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2100
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2380
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:544
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2524
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe14⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2568
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2400
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:944
-
-
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD5a2ce4c7b743725199da04033b5b57469
SHA11ae348eafa097ab898941eafe912d711a407da10
SHA2560fff86057dcfb3975c8bc44459740ba5ffb43551931163538df3f39a6bb991bc
SHA51223bd59f57b16cd496b550c1bba09eb3f9a9dfe764ea03470e3cc43e4d0b4ca415d239772e4a9b930749e88cead9a7ec4b0a77d0dd310e61d8c6521ae6ff278b0
-
Filesize
1KB
MD59484ce26d422922d74d5276a555fca5a
SHA11cc474a11be32d8957f45a845e36d3a07ad3d167
SHA256bfcade57b3a8e37d02cb6176c10dd7a6cd57c6b75d4fe2b485758d3bb9576b75
SHA512592114e4bf48ad94f20605bf099b8261b3058d7e381593a043deaa045f2430327b9cd2c8f23c5bc22e73ea46e52e4e87cef60deb7e8ae168331342d2138db5f8
-
Filesize
76KB
MD5f0ee8359740566432e38a3484cadca79
SHA1a8ca527f525df95622f9184b29fffa7c9fbb2a5e
SHA25656a7b8839eb72accb03d8509147f0278fb9739b72317b5d01a28457536f3a6dc
SHA512d19bd78f86e7c79e4517790d778101e7b9b517f5028182f703ac0ca2a3bd9ec97d9185ea3aa902330046eb8c289d153a4cd5e0816e8065ddbf20f7c0c630e60e
-
Filesize
173KB
MD5d1233b402c1f2eb42d9114cabc620af3
SHA1981ed9468d9ebca4ba046194822f87be88819bac
SHA25662b98bcdf890bff37ce85ce18d8b4ac046c6a248979ef068c3298e75a48dc5ad
SHA512be1586ddf658184832198e66fb2453dd3b18faa2ace6e0b82887a5bf384c632aaf7c85f53c436b1661bb86c3fa93f42226ed6512bf62a5d6d6e9277418173d25