neshta | 44383243001cf4c3937016df8d0cc3f6b77147960df4f051d8feb8a455bb9d00

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/01/2025, 04:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
Size

194KB
MD5

46e61d1b5376dd6642a40e5465318410
SHA1

e0b20c3d8b9853db4027f7cc74014f66a26ae014
SHA256

44383243001cf4c3937016df8d0cc3f6b77147960df4f051d8feb8a455bb9d00
SHA512

de39df76dacdb7558aa49c603760cad74e57f7481a6c9de2acc3418c2d06cc584d72eced3cdb22c4014ddc878dd391be8e470e25ae15adf002a64e89ff6c04d8
SSDEEP

3072:sr85CY9X3tLBAMrAEi9/axmLBygElun9X3wuc5ig7CDMefRwgOZvD5vZvuCErCoi:k9OIERmLwlu9+irwg2vVvZvuCYX6bH

Score

10^/10

neshta defense_evasion discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 18 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-11.dat	family_neshta
behavioral1/files/0x0008000000016399-49.dat	family_neshta
behavioral1/files/0x0001000000010312-117.dat	family_neshta
behavioral1/files/0x0013000000010321-116.dat	family_neshta
behavioral1/files/0x000f00000001033a-115.dat	family_neshta
behavioral1/files/0x000100000000f776-122.dat	family_neshta
behavioral1/files/0x000300000001219c-150.dat	family_neshta
behavioral1/files/0x000300000001219d-154.dat	family_neshta
behavioral1/files/0x000b000000005986-197.dat	family_neshta
behavioral1/files/0x00050000000055df-199.dat	family_neshta
behavioral1/files/0x0003000000005ab6-200.dat	family_neshta
behavioral1/files/0x000d0000000056d3-207.dat	family_neshta
behavioral1/files/0x0004000000005725-206.dat	family_neshta
behavioral1/files/0x000300000000e6f5-205.dat	family_neshta
behavioral1/memory/3044-208-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2840-210-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2840-212-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3044-215-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 2 IoCs

pid	Process
2408	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
2840	svchost.com

Loads dropped DLL 6 IoCs

pid	Process
3044	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
2408	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
2408	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
2408	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
2840	svchost.com
3044	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Binary Proxy Execution: Rundll32 1 TTPs 2 IoCs

Abuse Rundll32 to proxy execution of malicious code.

defense_evasion

Rundll32

T1218.011

pid	Process
2840	svchost.com
2848	rundll32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe

Drops file in Windows directory 49 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cursors\Aero\SET9D40.tmp	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\aero_ew.cur	rundll32.exe
File created	C:\Windows\Cursors\Aero\SET9D43.tmp	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\SET9D57.tmp	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\SET9D0A.tmp	rundll32.exe
File created	C:\Windows\Cursors\Aero\SET9D1D.tmp	rundll32.exe
File created	C:\Windows\Cursors\Aero\SET9D2F.tmp	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\aero_arrow.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\SET9D1C.tmp	rundll32.exe
File created	C:\Windows\Cursors\Aero\SET9D55.tmp	rundll32.exe
File created	C:\Windows\Cursors\Aero\SET9D56.tmp	rundll32.exe
File created	C:\Windows\Cursors\Aero\SET9D44.tmp	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\aero_pen.cur	rundll32.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\Cursors\Aero\SET9D2F.tmp	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\SET9D41.tmp	rundll32.exe
File created	C:\Windows\Cursors\Aero\SET9D42.tmp	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\aero_move.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\aero_helpsel.cur	rundll32.exe
File created	C:\Windows\Cursors\Aero\SET9D2E.tmp	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\aero_nesw.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\SET9D43.tmp	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\SET9D44.tmp	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\aero_link.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\SET9D55.tmp	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\aero_alt.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\SET9D1D.tmp	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\aero_busy.ani	rundll32.exe
File created	C:\Windows\Cursors\Aero\SET9D41.tmp	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\aero_nwse.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\aero_ns.cur	rundll32.exe
File created	C:\Windows\Cursors\Aero\SET9D40.tmp	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\SET9D56.tmp	rundll32.exe
File created	C:\Windows\Cursors\Aero\SET9D57.tmp	rundll32.exe
File opened for modification	C:\Windows\svchost.com	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
File created	C:\Windows\Cursors\Aero\SET9D0A.tmp	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\SET9D2D.tmp	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\aero_select.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\SET9D0B.tmp	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\aero_working.ani	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\SET9D2E.tmp	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\aero_prec.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\SET9D42.tmp	rundll32.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File created	C:\Windows\Cursors\Aero\SET9D0B.tmp	rundll32.exe
File created	C:\Windows\Cursors\Aero\SET9D1C.tmp	rundll32.exe
File created	C:\Windows\Cursors\Aero\SET9D2D.tmp	rundll32.exe
File opened for modification	C:\Windows\Cursors\Aero\aero_unavail.cur	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Control Panel 20 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\ = "Aero"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\Hand = "%SYSTEMROOT%\\Cursors\\Aero\\aero_link.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\Crosshair = "%SYSTEMROOT%\\Cursors\\Aero\\aero_prec.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\NWPen = "%SYSTEMROOT%\\Cursors\\Aero\\aero_pen.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\SizeWE = "%SYSTEMROOT%\\Cursors\\Aero\\aero_ew.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\SizeNWSE = "%SYSTEMROOT%\\Cursors\\Aero\\aero_nwse.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\SizeAll = "%SYSTEMROOT%\\Cursors\\Aero\\aero_move.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\UpArrow = "%SYSTEMROOT%\\Cursors\\Aero\\aero_alt.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\Help = "%SYSTEMROOT%\\Cursors\\Aero\\aero_helpsel.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\AppStarting = "%SYSTEMROOT%\\Cursors\\Aero\\aero_working.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\IBeam = "%SYSTEMROOT%\\Cursors\\Aero\\aero_select.cur"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\Scheme Source = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\Wait = "%SYSTEMROOT%\\Cursors\\Aero\\aero_busy.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\No = "%SYSTEMROOT%\\Cursors\\Aero\\aero_unavail.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\SizeNS = "%SYSTEMROOT%\\Cursors\\Aero\\aero_ns.cur"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\Schemes	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\Schemes\Aero = "C:\\Windows\\Cursors\\Aero\\aero_arrow.cur,C:\\Windows\\Cursors\\Aero\\aero_helpsel.cur,C:\\Windows\\Cursors\\Aero\\aero_working.ani,C:\\Windows\\Cursors\\Aero\\aero_busy.ani,C:\\Windows\\Cursors\\Aero\\aero_prec.cur,C:\\Windows\\Cursors\\Aero\\aero_select.cur,C:\\Windows\\Cursors\\Aero\\aero_pen.cur,C:\\Windows\\Cursors\\Aero\\aero_unavail.cur,C:\\Windows\\Cursors\\Aero\\aero_ns.cur,C:\\Windows\\Cursors\\Aero\\aero_ew.cur,C:\\Windows\\Cursors\\Aero\\aero_nwse.cur,C:\\Windows\\Cursors\\Aero\\aero_nesw.cur,C:\\Windows\\Cursors\\Aero\\aero_move.cur,C:\\Windows\\Cursors\\Aero\\aero_alt.cur,C:\\Windows\\Cursors\\Aero\\aero_link.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\Arrow = "%SYSTEMROOT%\\Cursors\\Aero\\aero_arrow.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Cursors\SizeNESW = "%SYSTEMROOT%\\Cursors\\Aero\\aero_nesw.cur"	rundll32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2848	rundll32.exe
Token: SeRestorePrivilege	2848	rundll32.exe
Token: SeRestorePrivilege	2848	rundll32.exe
Token: SeRestorePrivilege	2848	rundll32.exe
Token: SeRestorePrivilege	2848	rundll32.exe
Token: SeRestorePrivilege	2848	rundll32.exe
Token: SeRestorePrivilege	2848	rundll32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2408	3044	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe	30
PID 3044 wrote to memory of 2408	3044	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe	30
PID 3044 wrote to memory of 2408	3044	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe	30
PID 3044 wrote to memory of 2408	3044	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe	30
PID 3044 wrote to memory of 2408	3044	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe	30
PID 3044 wrote to memory of 2408	3044	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe	30
PID 3044 wrote to memory of 2408	3044	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe	30
PID 2408 wrote to memory of 2840	2408	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe	31
PID 2408 wrote to memory of 2840	2408	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe	31
PID 2408 wrote to memory of 2840	2408	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe	31
PID 2408 wrote to memory of 2840	2408	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe	31
PID 2408 wrote to memory of 2840	2408	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe	31
PID 2408 wrote to memory of 2840	2408	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe	31
PID 2408 wrote to memory of 2840	2408	JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe	31
PID 2840 wrote to memory of 2848	2840	svchost.com	32
PID 2840 wrote to memory of 2848	2840	svchost.com	32
PID 2840 wrote to memory of 2848	2840	svchost.com	32
PID 2840 wrote to memory of 2848	2840	svchost.com	32
PID 2840 wrote to memory of 2848	2840	svchost.com	32
PID 2840 wrote to memory of 2848	2840	svchost.com	32
PID 2840 wrote to memory of 2848	2840	svchost.com	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\rundll32.exe" advpack.dll,LaunchINFSection Mycursor.inf, DefaultInstall,3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Binary Proxy Execution: Rundll32
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\System32\rundll32.exe advpack.dll,LaunchINFSection Mycursor.inf, DefaultInstall,3
      4⤵
      System Binary Proxy Execution: Rundll32
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious use of AdjustPrivilegeToken
      PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Rundll32

T1218.011

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
381KB

MD5
3ec4922dbca2d07815cf28144193ded9

SHA1
75cda36469743fbc292da2684e76a26473f04a6d

SHA256
0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801

SHA512
956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE

Filesize
155KB

MD5
96a14f39834c93363eebf40ae941242c

SHA1
5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc

SHA256
8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a

SHA512
fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

Filesize
155KB

MD5
f7c714dbf8e08ca2ed1a2bfb8ca97668

SHA1
cc78bf232157f98b68b8d81327f9f826dabb18ab

SHA256
fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899

SHA512
28bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c

Download Submit
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
495KB

MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
485KB

MD5
86749cd13537a694795be5d87ef7106d

SHA1
538030845680a8be8219618daee29e368dc1e06c

SHA256
8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

SHA512
7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
714KB

MD5
79adf9924b96c1cb9ef365475baacff6

SHA1
3787960ea7487e697fdfb3ea58477279849bef21

SHA256
91c14f4aee2af47657b303ee322ec7951a300939170cda293ca1d2c40b2ffd9e

SHA512
3eb1d39f009c62187ad6005e6d6942d508eabbf8956b0e76ddd631fdeef594f484655c70ece044489d905236eccdb5846a2a6f35d81d6f7ca307ee1149e12d96

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
674KB

MD5
9c10a5ec52c145d340df7eafdb69c478

SHA1
57f3d99e41d123ad5f185fc21454367a7285db42

SHA256
ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

SHA512
2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
536KB

MD5
c1d222fe7c6311e0b8d75a8728aa4ce7

SHA1
fe5ec004827c9ac8ddc954fabcfc1e196f49f340

SHA256
ea992e36be623bdafce1062dba476a76dd4b72bcb9173431519227a07b462d18

SHA512
0a209fe566a12274bac9e11937f6aa459f13e73658d6fff63db8fe9b654e9e87aa0406e3454d68ec1897b0465a9c7d9348f45edff434856736bdfa4445e34fa3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AERO_A~1.CUR

Filesize
4KB

MD5
ea1996c015e146d484888cbb90581691

SHA1
83d349bb3c870b7f048f7c132de62bc4094b940a

SHA256
bd5863c01bdad1b10b08726e1932dac53aedfa0737be305c63df536afd9b3b74

SHA512
7695ccea64201928ef36237fa6d3c0c564aa380b6323fda9178931e9ea2e4cd61f999c59972f0ca1b14b5b7eee4631dbcaa09d52898ba5aebba4aa7de521a9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AERO_B~1.ANI

Filesize
75KB

MD5
27eb04af547dab9b3648605327e847bd

SHA1
733444f7d23dfd26089a9662e11077e56e4fbc66

SHA256
a8ab3345ac31bb07edfc972933e244edd73b9416e4cb9bbe975472e3a50b12a9

SHA512
730dff6e1a097542502719a2c73ce65e98e869fc24fee4cbf658373411528926b5579c16931815a15b038c9f9d47b499e95f02f0545e6fc3a0efb2cb3de120e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AERO_H~1.CUR

Filesize
4KB

MD5
0008689d017e143ff49f38b94d63876d

SHA1
3889edd8815d5bbf26f6f12358fc15284b65d49d

SHA256
559eeaad1f057226d2965c507094a72584a3f23d2a987635cf0f53b7ea79b33b

SHA512
d1aae27536bdad5e522aa3e2a9f58cbe21f868ab44db0e44f5129e72c40a263587da998600927b8666bd8d8dc1dc8ac0e8235f47131c4f46b4d9e2318237e863

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AERO_L~1.CUR

Filesize
4KB

MD5
ad452e2520bacd56a35f125616480c3c

SHA1
33a9daa7c6766c95848b94e1010e50d5e4e3ec7c

SHA256
98fdf59ac899a9c2510b5064b50be5b61b48ccfd0b9247874a6097793f2c3057

SHA512
29d95def709e6c290ace4a8deba553345af0d78b618b9659bf0bc37495053582c060409a450b1f5c0fdde74fece01629a4c2a5c401b293e2cc04634d1e858f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AERO_M~1.CUR

Filesize
4KB

MD5
e5dcb831e11ec5d8a0f2e51656bccba0

SHA1
9d80e249984c5a835c361c86a8057132efe3b177

SHA256
54181c6b555396ba623781663dc20388edf85cfc49a7d86466dbb937dcead4b3

SHA512
9ef4dbb16947b740dc747a57c4f5a109dde242f15e33533a73e295d6e6ec2a8a9307b59e9d3ff2716e4a77039df34596b3c335d93255374e7155e1c1875d975b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AERO_N~1.CUR

Filesize
4KB

MD5
6f2eb112fe01ee3c84bbbfa64092b079

SHA1
e0ecdcc506e6b3ee6c25e3fa78ad8a7cd6a15476

SHA256
de8ca70a6bd0e8738200cfe5a9d2e50514c8274e39e9939493726cc307ea7df4

SHA512
b5c9eebecb25dfc2a8069e346381f3c401a4a9a6a568627a80fe131a87a6223d851e57578aa87c413943a22dab6dd88c43e617c02ca3130d90a194b87c6aa272

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AERO_N~2.CUR

Filesize
4KB

MD5
d3f4e3b187ded3f53cdc7435a10d23b2

SHA1
76e95f1eefd8e7af946c9a6149a0b16824a6adb8

SHA256
26ba676103297f4fe9dba4d49238be80b1a7dbb1e869ec1a0986c6e7afdfd07b

SHA512
4ce0b8a8a01db56ecdbaaccb60f34ffd54496dfaca02c115fe358fd923b54e256196c7d2286d7644670ec0e4de9b796c2c3d659078868ce4ce6ce6a129227a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AERO_P~1.CUR

Filesize
4KB

MD5
e67d9223b642c25aabc6bc3e1b9067cc

SHA1
7655e8328a20428f92cda20c3361e196614b9c7b

SHA256
82960bbb060bf78779c736e325c83a30fb44f8f5d4d05ba984f7594e2f7438b5

SHA512
8d9d821b910fa253368c7c7ed4e59034c06eb728320424686b0bbf9a6815639a6d46627d7a6fecb2599a6d67104e853d47fa0660ab05ad74fec207013c7d79b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AERO_S~1.CUR

Filesize
4KB

MD5
fb4034a0dff9163fde813a30b2c1d1c1

SHA1
735bc76fbd197699243a4033b419714c2b76de38

SHA256
df2de2269ac181eca37be88f50613d4e64fe1bb32e597b442f681e470db33b14

SHA512
98b1e91d9fbf8e0ee5471ed93154e13b08b0f83e1a8858f717ed52d1111887ac3a610d25f412ea3844305db47d0434454cda0b7115b9f9c36e9c1dab3788e11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AERO_U~1.CUR

Filesize
4KB

MD5
ec5e4f9c4749a4aae668fa7ccafecff4

SHA1
2cb204d7594ecf738949f48949aa6f7e2b54750a

SHA256
d765ab5b0ee32b0a8cb3b3b133766101bf95741afb6a45621acae0b8ca662bfc

SHA512
f8126967bf44bbd77a795ae44aaf6c84142407ee9f5c499a31bf6e15e5112e22ed0866f5d7a555274ab77550ff2006b423c1b2c12da3a9d6927e99e147d62aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AERO_W~1.ANI

Filesize
75KB

MD5
02c86ee6b68148cdbdf9cce3b50c5938

SHA1
725944fa8060c054508319d55b4e3e11149f72d1

SHA256
8685bf675bed7c0626fed013acf52ab81b9a3ba09e6830a5733d43a50d43a73c

SHA512
bb9cf3d6d150059d72c0d77d3d1bc0a22ad65e720e9276e6ac6d4bae94e00fb834158f7b670195eb15806770d777db4265fcb18a7ef15a291907479a18843083

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mycursor.inf

Filesize
2KB

MD5
f74176552e3d4a527b7b9dde52fa00d6

SHA1
f83e181b886d943d092bbae22baaaeb98c6f40bf

SHA256
d9de7ae638b0347d48055dbf60142fe65978cc5cb2b8d7f54a61916c1cc103d4

SHA512
2d79064cb20af742fc36963c001ec24fa7db36819c5d2a9ce463ded8475ead6e9251dfbf9dbad5eaf62a5bace1d210e30dc175ea143c2ca6f579d1afa7e74e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\aero_alt.cur

Filesize
4KB

MD5
edd96aef0347b025a8544d3fac0ce120

SHA1
3709730eb773672e9f8baa072760708eeb83779c

SHA256
e12b2bb99ec88e854843af4ad59aa2b7848fac401102a692896d5cb9ee7b3969

SHA512
0ce753bdd93ce44b8b6edc3f1e00209a5f218ae24c1f47b841a7fce3f88936557913d0948706527197c19831908e336896c9428be19ec7cb8f6d653a7990d277

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\aero_ew.cur

Filesize
4KB

MD5
d680063d9d9cae42bb1e00701533539b

SHA1
1d9c43332989a4c872d7012f1601ac594160d9da

SHA256
093c36f1baa94b49498b173a197a99c72835381aa0b1823ae669eb19adfcc430

SHA512
7a9711662261a6085434799c155aca145822e35586a1f8118b3c5828c2d49549e02855a09ae555d18c2ee83310d5fedeead90ba7d5e4fe60625ccb3878bfb841

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\aero_ns.cur

Filesize
4KB

MD5
f55ee079e1584126368a0a003cf5da52

SHA1
7f9545c3da864c57ac5dd6aa2ece330249f8529b

SHA256
ae87e1be2012a8d22db328bec839cc01705776df4a8668a373d2d7efd918cc09

SHA512
776e5fb73980edf7413079bd63de42d92880a4d61e06cddcbde87f0a54b19eeb66d27825953dbcca75d3112e8830cfe3db96f06a0bff2392cd8d2e68ba0a5bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\aero_pen.cur

Filesize
4KB

MD5
8908dc992d2868e7cac099e5866169fa

SHA1
0677d5f99f329f657dba1e511937df8e977cb51e

SHA256
7e99a350ddaf9d1bf939f26a0a365e6677b0770ef70332fc478729473598c46a

SHA512
e2c3f3e2fdf18caf609c2b560475a55c3a1aefbd5462b56278179baf0176ab11b2af292ae61c6ac4134114884b5817eb702c4ab32d8aa608d30ab429d20e982c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
0e91e6313ebc01f4b98c22d1d6b11bbe

SHA1
1c991a428cf551aee4f492bc7177e27e6014e2de

SHA256
240878687d4da204e6f4b401ebb5423e0d4d007d09cc1786d51d1cd530fbd0d5

SHA512
234a565207c850e6fbf86061e211191009dcd8ce325d133d9068836db86aeb0a8011e528f2298efc45387d451258e8138fa02e2fb5225665d22e983c2d864894

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
6b26844eaa7c78f46ac6f3490275a2b8

SHA1
4e248e4097cdf49d5ca6b7a4a1b28512bef78c44

SHA256
ff4f1b62afdb5f2ff2ca6b473367772d5adbe16986bc5e5b20fea836e9cbd1f5

SHA512
7e1ac515a11d359fa86f433de5090678ba1b53da3df0f771f4f29d225a5b181dbdbd21b657873f52f8b7d4b3071cbd7971b4acc8515b0201eecaa72b59efc553

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_46e61d1b5376dd6642a40e5465318410.exe

Filesize
153KB

MD5
3156fa664111c639c4a93b573618c240

SHA1
c68c519551aa903709154b729c4dff86f2f498c8

SHA256
1277746f4a302f644ac2910b7e80b51a9cf7c55be8f88fc8cdfae7b01dbf58be

SHA512
2e733c073f0641f3b12f914c384535769b1ec45aa478537edf9177585354fabe08314193df00327bd57ca0a994d425ece9cfe534716c7c61fb86ffb534200cb9

Download Submit
memory/2408-209-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2408-217-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2840-210-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2840-212-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3044-208-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3044-215-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads