Analysis Overview
SHA256
18f4035381c01ac7eba826bf786103b091ce6f0c05943722a2996dbf14744689
Threat Level: Known bad
The file d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Masslogger family
MassLogger Main payload
MassLogger
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Modifies Internet Explorer settings
outlook_office_path
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-19 21:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-19 21:51
Reported
2024-12-19 21:53
Platform
win11-20241007-en
Max time kernel
66s
Max time network
53s
Command Line
Signatures
MassLogger
MassLogger Main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Masslogger family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3864 set thread context of 4484 | N/A | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \Registry\User\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\NotificationData | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings | C:\Windows\system32\control.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\control.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\control.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe"
C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe'
C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.66.177:443 | tcp | |
| GB | 2.18.66.177:443 | tcp | |
| US | 95.100.195.140:443 | r.bing.com | tcp |
| US | 95.100.195.140:443 | r.bing.com | tcp |
| US | 95.100.195.140:443 | r.bing.com | tcp |
| US | 95.100.195.140:443 | r.bing.com | tcp |
| US | 95.100.195.140:443 | r.bing.com | tcp |
| US | 95.100.195.140:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
Files
memory/3864-0-0x0000000074E0E000-0x0000000074E0F000-memory.dmp
memory/3864-1-0x0000000000B40000-0x0000000000C10000-memory.dmp
memory/3864-2-0x0000000005C00000-0x00000000061A6000-memory.dmp
memory/3864-3-0x0000000005650000-0x00000000056E2000-memory.dmp
memory/3864-4-0x0000000005580000-0x000000000558A000-memory.dmp
memory/3864-5-0x0000000074E00000-0x00000000755B1000-memory.dmp
memory/3864-6-0x0000000007EC0000-0x0000000007F5C000-memory.dmp
memory/3864-7-0x0000000005940000-0x0000000005952000-memory.dmp
memory/3864-8-0x0000000074E0E000-0x0000000074E0F000-memory.dmp
memory/3864-9-0x0000000074E00000-0x00000000755B1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | 393738f09c6138bc20ef0edd843d37dc |
| SHA1 | 7ebbfb06caa94a853f40eb5afae9c1989b59dc65 |
| SHA256 | ce112a6793b0d4bfd42d5065320e720d50852c0f51a0b3d54dae695980b6ef87 |
| SHA512 | 89da410b4952042d9b0c42b26bf6561679831e6434990355612301341fe32d8d47346d6cff8645c9d5fa8e075e0a906a6792cccfa152f8b3d40c1eec561abec3 |
memory/4220-11-0x00000242601A0000-0x00000242601A1000-memory.dmp
memory/4220-12-0x00000242601A0000-0x00000242601A1000-memory.dmp
memory/4220-13-0x00000242601A0000-0x00000242601A1000-memory.dmp
memory/4220-17-0x00000242601A0000-0x00000242601A1000-memory.dmp
memory/4220-23-0x00000242601A0000-0x00000242601A1000-memory.dmp
memory/4220-22-0x00000242601A0000-0x00000242601A1000-memory.dmp
memory/4220-21-0x00000242601A0000-0x00000242601A1000-memory.dmp
memory/4220-20-0x00000242601A0000-0x00000242601A1000-memory.dmp
memory/4220-19-0x00000242601A0000-0x00000242601A1000-memory.dmp
memory/4220-18-0x00000242601A0000-0x00000242601A1000-memory.dmp
memory/3864-24-0x00000000080B0000-0x0000000008148000-memory.dmp
memory/3864-25-0x000000000A7B0000-0x000000000A848000-memory.dmp
memory/4484-26-0x0000000000400000-0x0000000000486000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe.log
| MD5 | 7e1ed0055c3eaa0bbc4a29ec1ef15a6a |
| SHA1 | 765b954c1adbb6a6ecc4fe912fdaa6d0fba0ae7d |
| SHA256 | 4c17576f64dea465c45a50573ee41771f7be9962ab2d07f961af4df5589bdcce |
| SHA512 | de7c784c37d18c43820908add88f08ab4864c0ef3f9d158cc2c9d1bab120613cb093dd4bfc5d7ed0c289414956cfe0b213c386f8e6b5753847dec915566297c8 |
memory/3864-29-0x0000000074E00000-0x00000000755B1000-memory.dmp
memory/1452-30-0x0000000005A00000-0x0000000005A12000-memory.dmp
memory/4484-31-0x0000000006740000-0x00000000067A6000-memory.dmp
memory/4484-32-0x00000000071F0000-0x0000000007240000-memory.dmp
memory/1064-33-0x0000000002E00000-0x0000000002E36000-memory.dmp
memory/1064-34-0x0000000005860000-0x0000000005E8A000-memory.dmp
memory/1064-36-0x0000000005F70000-0x0000000005FD6000-memory.dmp
memory/1064-35-0x0000000005E90000-0x0000000005EB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bkt3wu0u.ir4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1064-45-0x0000000006100000-0x0000000006457000-memory.dmp
memory/1064-46-0x00000000065F0000-0x000000000660E000-memory.dmp
memory/1064-47-0x0000000006850000-0x000000000689C000-memory.dmp
memory/1064-48-0x00000000075B0000-0x00000000075E4000-memory.dmp
memory/1064-49-0x0000000070380000-0x00000000703CC000-memory.dmp
memory/1064-58-0x00000000075F0000-0x000000000760E000-memory.dmp
memory/1064-59-0x0000000007690000-0x0000000007734000-memory.dmp
memory/1064-60-0x0000000008000000-0x000000000867A000-memory.dmp
memory/1064-61-0x00000000079B0000-0x00000000079CA000-memory.dmp
memory/1064-62-0x0000000007A30000-0x0000000007A3A000-memory.dmp
memory/1064-63-0x0000000007C40000-0x0000000007CD6000-memory.dmp
memory/1064-64-0x0000000007BC0000-0x0000000007BD1000-memory.dmp
memory/1064-65-0x0000000007BF0000-0x0000000007BFE000-memory.dmp
memory/1064-66-0x0000000007C00000-0x0000000007C15000-memory.dmp
memory/1064-67-0x0000000007D00000-0x0000000007D1A000-memory.dmp
memory/1064-68-0x0000000007CF0000-0x0000000007CF8000-memory.dmp