nanocore | 2d68a08146c225053c8314282aca4053408e85ff77a9bbd302efe44f1db4739e

General

Target

fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe
Size

2.3MB
MD5

fdbaf1cf150f8ce9892cd77f8f57ee3a
SHA1

30b9e7f9fd621887cc3c0d386e8f39e2d5c82229
SHA256

2d68a08146c225053c8314282aca4053408e85ff77a9bbd302efe44f1db4739e
SHA512

1c9b52214898992d138da884da8c360eb8a40aabb3fa8b9027bcc93686d4f1df2a77f00ecc75944eec063e896b65bc70d1e0c865c6a51e03f1894a4838a75caa
SSDEEP

49152:qAoTSV3SSpwtb9rRbipPihj+dPGyFUJ8pg:qnu3nERmpPiF+9GyFUJ8K

Score

10^/10

nanocore defense_evasion discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
3940	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4624	Raga.exe
3940	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe

Loads dropped DLL 3 IoCs

pid	Process
4624	Raga.exe
4624	Raga.exe
4624	Raga.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Subsystem = "C:\\Program Files (x86)\\PCI Subsystem\\pciss.exe"	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

pid	Process
4624	Raga.exe
4624	Raga.exe
4624	Raga.exe
4624	Raga.exe
4624	Raga.exe
4624	Raga.exe
4624	Raga.exe
4624	Raga.exe
4624	Raga.exe
4624	Raga.exe
4624	Raga.exe
4624	Raga.exe
4624	Raga.exe
4624	Raga.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1080 set thread context of 3940	1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe	92

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PCI Subsystem\pciss.exe	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\PCI Subsystem\pciss.exe	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe
File created	C:\Program Files (x86)\PCI Subsystem\pciss.exe\:ZONE.identifier:$DATA	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe:ZONE.identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Raga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	Raga.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	Raga.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	Raga.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PCI Subsystem\pciss.exe\:ZONE.identifier:$DATA	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe:ZONE.identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe
1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe
1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe
4624	Raga.exe
3940	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe
3940	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe
3940	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe
3940	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe
3940	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe
3940	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3940	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe
Token: SeDebugPrivilege	4624	Raga.exe
Token: SeDebugPrivilege	3940	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4624	Raga.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 4624	1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe	89
PID 1080 wrote to memory of 4624	1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe	89
PID 1080 wrote to memory of 4624	1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe	89
PID 1080 wrote to memory of 1548	1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe	90
PID 1080 wrote to memory of 1548	1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe	90
PID 1080 wrote to memory of 1548	1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe	90
PID 1080 wrote to memory of 3940	1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe	92
PID 1080 wrote to memory of 3940	1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe	92
PID 1080 wrote to memory of 3940	1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe	92
PID 1080 wrote to memory of 3940	1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe	92
PID 1080 wrote to memory of 3940	1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe	92
PID 1080 wrote to memory of 3940	1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe	92
PID 1080 wrote to memory of 3940	1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe	92
PID 1080 wrote to memory of 3940	1080	fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\Raga.exe
  "C:\Users\Admin\AppData\Local\Temp\Raga.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe":ZONE.identifier & exit
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:1548
- C:\Users\Admin\AppData\Local\Temp\fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

2

T1553

Install Root Certificate

1

T1553.004

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe.log

Filesize
223B

MD5
1cc4c5b51e50ec74a6880b50ecbee28b

SHA1
1ba7bb0e86c3d23fb0dc8bf16798d37afb4c4aba

SHA256
0556734df26e82e363d47748a3ceedd5c23ea4b9ded6e68bd5c373c1c9f8777b

SHA512
5d5532602b381125b24a9bd78781ed722ce0c862214ef17e7d224d269e6e7045c919ab19896dd8d9ae8920726092efe0ffb776a77a9a9539c4a70188d5a4c706

Download Submit
C:\Users\Admin\AppData\Local\Temp\Raga.exe

Filesize
1.6MB

MD5
7028b8bcff9aa7fae47d5c29481d4eb9

SHA1
1c9deb7b3dcb44fec1f6be6dab46f158d7eb768e

SHA256
ed7fddc0861e1ba103554f9f8f65cc412ca4cb06d1ed371c9b380e6e8bc0f805

SHA512
4352e95ebed2f1617db5032a2ac35c06af1ee89cd22e9506e3d5f663a59efafa6462b0a1aed5fc2ac477666afa38bcf03462ff2b4033c3cc7e0a5641e2ddd91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbB259.tmp

Filesize
1KB

MD5
152fd83c71248d63d3d291501ef59898

SHA1
a44017c0c31ec38ad1770a6540ca33e339de12ed

SHA256
61e38537744bbc4826d0cea5d922dd686fe78292444f096993de693195824434

SHA512
5f5be90c2f7bc2d02258c090b2f66b195f1dfc9fc58dfe4c5c8ed1a4394dee9086adbf97a4ae50b5058c5156c319799c2dd27745560e622e34d2074fe81d42a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe

Filesize
2.3MB

MD5
fdbaf1cf150f8ce9892cd77f8f57ee3a

SHA1
30b9e7f9fd621887cc3c0d386e8f39e2d5c82229

SHA256
2d68a08146c225053c8314282aca4053408e85ff77a9bbd302efe44f1db4739e

SHA512
1c9b52214898992d138da884da8c360eb8a40aabb3fa8b9027bcc93686d4f1df2a77f00ecc75944eec063e896b65bc70d1e0c865c6a51e03f1894a4838a75caa

Download Submit
memory/1080-47-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/1080-4-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/1080-38-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/1080-17-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/1080-18-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/1080-0-0x00000000750A2000-0x00000000750A3000-memory.dmp

Filesize
4KB

Download
memory/1080-3-0x00000000750A2000-0x00000000750A3000-memory.dmp

Filesize
4KB

Download
memory/1080-2-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/1080-1-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3940-46-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3940-48-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3940-71-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3940-67-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3940-49-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/4624-21-0x00000000750A2000-0x00000000750A3000-memory.dmp

Filesize
4KB

Download
memory/4624-30-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/4624-19-0x00000000779C2000-0x00000000779C3000-memory.dmp

Filesize
4KB

Download
memory/4624-20-0x00000000779C3000-0x00000000779C4000-memory.dmp

Filesize
4KB

Download
memory/4624-16-0x0000000000BD0000-0x0000000000F5A000-memory.dmp

Filesize
3.5MB

Download
memory/4624-25-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download
memory/4624-34-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/4624-65-0x0000000000BD0000-0x0000000000F5A000-memory.dmp

Filesize
3.5MB

Download
memory/4624-66-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/4624-31-0x0000000006EC0000-0x0000000006F24000-memory.dmp

Filesize
400KB

Download
memory/4624-33-0x0000000003C80000-0x0000000003C84000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads