881915687403750d390433879ac44b66ec0c498a1229e347c17b4bc1a00d3f7c

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
Size

1.6MB
MD5

05a4eb61bea75c2d17da7605c6b98d34
SHA1

5a83dc12f4bc2cfa77d2b10b593bce66d1e8e62d
SHA256

881915687403750d390433879ac44b66ec0c498a1229e347c17b4bc1a00d3f7c
SHA512

52a92bf96f3e16275b8906b588adfb08315ba5f1295413b2914438694ad826f13ac6c49b2a0e5868519796e90f566e1367c564adbab490220b75444b944d8659
SSDEEP

12288:kIq2w3/b4Mph32oihrv6vNb/1oLfjQw43sQVtX2:kIs/MMpd2JZyNb1oLfjz+Zm

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2184-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x000d00000001342e-6.dat	upx
behavioral1/memory/2184-3673-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2184-3677-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\autochk.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\makecab.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\whoami.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrm.cmd	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\find.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\srdelayed.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wuapp.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPDCT.EXE-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InfDefaultInstall.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cliconfg.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\icsunattend.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ssText3d.scr-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rdrleakdiag.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ftp.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\shared\IMCCPHR.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\openfiles.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\systray.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\certreq.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\perfmon.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\poqexec.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\proquota.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sdchange.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\setx.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TSTheme.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\mofcomp.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\diantz.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\format.com	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Magnify.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\osk.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sbunattend.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SearchProtocolHost.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WerFaultSecure.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xpsrchvw.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chcp.com	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\clip.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\instnm.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tasklist.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\attrib.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\auditpol.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\user.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wimserv.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wscript.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HOSTNAME.EXE	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Netplwiz.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\runonce.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sdiagnhost.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tracerpt.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\mofcomp.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmd.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rekeywiz.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\more.com-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\raserver.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesPerformance.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xpsrchvw.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\odbcconf.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\setupSNK.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autoconv.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chcp.com-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drvinst.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fontview.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\icacls.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\netbtugc.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\setupugc.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Mail\wab.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\tnameserv.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\DebugUnprotect.cmd-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.bat	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\rmiregistry.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\kinit.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\rmid.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Mail\wabmig.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\jabswitch.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\helper.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\ktab.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zFM.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-nslookup_31bf3856ad364e35_6.1.7601.17514_none_29a6795f7d1218c6\nslookup.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_90ecf919657dacf4\NETSTAT.EXE-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wpd-shellextension_31bf3856ad364e35_6.1.7601.17514_none_6f4ef219dd693ca6\WPDShextAutoplay.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7601.17514_none_ef38a8d0d05cc2c7\IMJPUEX.EXE-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\ehome\mcupdate.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_11.2.9600.16428_none_3bb1024f1e6bc086\mshta.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_678566b7ddea04a5\poqexec.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_6.1.7600.16385_none_2831d06e8295c671\upnpcont.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..eoptionalcomponents_31bf3856ad364e35_11.2.9600.16428_none_87f259ebb3f177fa\ConfigureIEOptionalComponents.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_7cf343cac8a829ec\tree.com-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systray_31bf3856ad364e35_6.1.7600.16385_none_f327d2f6575da8ce\systray.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-runonce_31bf3856ad364e35_6.1.7601.17514_none_17c23e881d4a0b0b\runonce.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..mpropertiesadvanced_31bf3856ad364e35_6.1.7600.16385_none_f71eddfb459a0155\SystemPropertiesAdvanced.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-session0viewer_31bf3856ad364e35_6.1.7600.16385_none_3ddbd9a9605f0519\UI0Detect.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-dw_b03f5f7f11d50a3a_6.1.7600.16385_none_5a768666c3091014\dw20.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_aef2c7dbb6cc16c1\ftp.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.7601.17514_none_e292664733bd5af6\ie4uinit.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-muicachebuilder_31bf3856ad364e35_6.1.7601.17514_none_1c140627131a6df3\mcbuilder.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-control_31bf3856ad364e35_6.1.7600.16385_none_f560eae4c42edb14\control.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-format_31bf3856ad364e35_6.1.7600.16385_none_827dd459a3aa9980\format.com-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.17514_none_fa8534ab236134c4\mfpmp.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_6.1.7600.16385_none_494ba66d2a12efc3\Netplwiz.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-wizard_31bf3856ad364e35_6.1.7600.16385_none_7680aa7b6195f2c6\DVDMaker.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7601.17932_none_d088def7226177d5\setup16.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-gc-registeriepkeys_31bf3856ad364e35_11.2.9600.16428_none_ae214da780801b0f\RegisterIEPKEYs.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-utilman_31bf3856ad364e35_6.1.7600.16385_none_028006129290e443\Utilman.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_6.1.7601.17514_none_dfe02de35bf41e0b\PrintBrm.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-reliability-postboot_31bf3856ad364e35_6.1.7600.16385_none_a9b5c1d91f03e0b4\RelPost.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-applaunch_exe_b03f5f7f11d50a3a_6.1.7601.17514_none_51e5e402131afc4a\AppLaunch.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-at_31bf3856ad364e35_6.1.7600.16385_none_4cd7fa8ce5381b26\at.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..pwindowmanager-core_31bf3856ad364e35_6.1.7601.17514_none_ebc99983d3d18578\dwm.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sysinfo_31bf3856ad364e35_6.1.7600.16385_none_4b49a2c2123fd42c\systeminfo.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_6.1.7600.16385_none_9da1b3254ff796e9\msra.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_7cf343cac8a829ec\find.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_34ce5d95ad203bbe\ROUTE.EXE-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-eventcollector_31bf3856ad364e35_6.1.7600.16385_none_5702948e8e63fc30\wecutil.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_04709031736ac277\lsass.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-blb-cli-main_31bf3856ad364e35_6.1.7600.16385_none_a749cec7a8b6bf08\wbadmin.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-iediag_31bf3856ad364e35_11.2.9600.16428_none_f937400aa65f97cc\iediagcmd.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.7600.16385_none_db2b15bfcf64f104\iexpress.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_6.1.7601.17514_none_f8852afc12f84e8e\nltest.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_aeb1ef0f4e6bba1d\cscript.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-icacls_31bf3856ad364e35_6.1.7600.16385_none_328af534074dc6cc\icacls.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7600.16385_none_0935b76c289e0fd5\poqexec.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.7600.16385_none_7f0c7a3c17077fce\iexpress.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\twunk_16.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.22091_none_d2b1c721321aadf8\conhost.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\tskill.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-xcopy_31bf3856ad364e35_6.1.7600.16385_none_beea9c500dfd4622\xcopy.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..cationnotifications_31bf3856ad364e35_6.1.7600.16385_none_175ab6276b721d6a\LocationNotifications.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_632ae4bc5d173763\diskperf.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\ehome\WTVConverter.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..s-mdac-odbcconf-exe_31bf3856ad364e35_6.1.7600.16385_none_0d4d30a05370cb73\odbcconf.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msdt_31bf3856ad364e35_6.1.7600.16385_none_0177539a37378025\msdt.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104\sdbinst.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x000d00000001342e-6.dat	nsis_installer_2

C:\Users\Admin\AppData\Local\Temp\05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7zFM.exe-

Filesize
2.5MB

MD5
5fc5be0cc59422c970197f49e768d163

SHA1
de2219bc5da2ab487c0e7d5e0ef45b42788ed263

SHA256
8768004a2a2fc3b18a9854587774ee365a298223945b8f175d102723b9b5b12b

SHA512
ec1c9896da38ea3b854365a1c24ac997e92fc659af3bf0419aaa9d1169af222c44f2989b9ce272ec013969aa8c78812466e07c4b1ae415aa24e16d33e5f3552e

Download Submit
memory/2184-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2184-3673-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2184-3677-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download