881915687403750d390433879ac44b66ec0c498a1229e347c17b4bc1a00d3f7c

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
Size

1.6MB
MD5

05a4eb61bea75c2d17da7605c6b98d34
SHA1

5a83dc12f4bc2cfa77d2b10b593bce66d1e8e62d
SHA256

881915687403750d390433879ac44b66ec0c498a1229e347c17b4bc1a00d3f7c
SHA512

52a92bf96f3e16275b8906b588adfb08315ba5f1295413b2914438694ad826f13ac6c49b2a0e5868519796e90f566e1367c564adbab490220b75444b944d8659
SSDEEP

12288:kIq2w3/b4Mph32oihrv6vNb/1oLfjQw43sQVtX2:kIs/MMpd2JZyNb1oLfjz+Zm

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3180-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x000f00000002314e-5.dat	upx
behavioral2/memory/3180-2397-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3180-4278-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3180-4279-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3180-4283-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ttdinject.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autoconv.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmmon32.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\diskperf.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PickerHost.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sxstrace.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ARP.EXE-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cipher.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fontdrvhost.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\srdelayed.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TpmInit.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eventcreate.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msra.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasphone.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Magnify.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\regini.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\shutdown.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\timeout.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TsWpfWrp.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bootcfg.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\format.com-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fsquirt.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mcbuilder.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sfc.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\clip.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TSTheme.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ndadmin.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PackagedCWALauncher.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\calc.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CertEnrollCtrl.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmstp.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\colorcpl.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mtstocom.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate_isv.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PackagedCWALauncher.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasautou.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\upnpcont.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\mofcomp.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eventvwr.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WSManHTTPConfig.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WerFaultSecure.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chkdsk.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eventvwr.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\grpconv.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LaunchWinApp.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\net.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dcomcnfg.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\finger.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GamePanel.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\print.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\whoami.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EhStorAuthn.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\notepad.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\findstr.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hdwwiz.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\IMJPUEX.EXE-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\shrpubw.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tree.com-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\wab.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Mail\wab.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\helper.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\keytool.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\ExtExport.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoev.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\wabmig.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstat.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\pack200.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmprph.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\kinit.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..-management-console_31bf3856ad364e35_10.0.19041.746_none_f7c1402f08d2457a\f\mmc.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ie-iechooser_31bf3856ad364e35_11.0.19041.746_none_122a74c9827fe81a\IEChooser.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..nsemanager-shellext_31bf3856ad364e35_10.0.19041.746_none_9043799a93dba365\f\LicenseManagerShellext.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_8aab2d3580c614cb\winrm.cmd-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.19041.1023_none_6aeab5d4bd0371a8\f\instnm.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.264_none_5481650943811810\SpatialAudioLicenseSrv.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_aspnet_compiler_b03f5f7f11d50a3a_10.0.19041.1_none_9202844cd514ab44\aspnet_compiler.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1_none_b29cb2f3845833b7\Microsoft.Uev.CscUnpinTool.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_wcf-wsatconfig_b03f5f7f11d50a3a_10.0.19041.1_none_c45aa783f860ee61\WsatConfig.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-magnify_31bf3856ad364e35_10.0.19041.1266_none_e2f3aaf24de135ec\f\Magnify.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\AuditShD.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.1_none_dc5648407c9fbfeb\wksprt.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-edp-notify_31bf3856ad364e35_10.0.19041.1202_none_958d6588f50ca146\f\edpnotify.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.19041.572_none_b322aa88d0148356\ReAgentc.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_security-octagon-broker_31bf3856ad364e35_10.0.19041.84_none_51ae5c25baf813ff\SgrmLpac.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sctasks_31bf3856ad364e35_10.0.19041.1_none_4a852f698914a2f6\schtasks.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-openwith_31bf3856ad364e35_10.0.19041.746_none_4b1a1978d1832a5f\r\OpenWith.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_f4a35974d85ff180\f\SettingSyncHost.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_netfx35linq-vb_compiler_orcas_31bf3856ad364e35_10.0.19041.1_none_4bf3621a8ebe2ee3\vbc.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\f\iisreset.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.19041.1202_none_cc0c3d35675da3a1\r\appidpolicyconverter.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-coresystem-wpr_31bf3856ad364e35_10.0.19041.746_none_4028b8f4f6c0b829\wpr.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_10.0.19041.1_none_15114cf4ffe3136a\cmdl32.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.153_none_c8fbed52dad932cb\f\SysResetErr.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\mstsc.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\f\AppVStreamingUX.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-com-runtimebroker_31bf3856ad364e35_10.0.19041.746_none_744cb37f06e446cc\f\RuntimeBroker.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.19041.746_none_88402ba139c8967e\dasHost.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-externaldictionary_31bf3856ad364e35_10.0.19041.1_none_fce141858c5d7f03\IMEWDBLD.EXE-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bcdboot-cmdlinetool_31bf3856ad364e35_10.0.19041.1237_none_d618a074f3588a53\r\bcdboot.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-com-surrogate-core_31bf3856ad364e35_10.0.19041.546_none_12e3d70535675c5f\dllhost.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_10.0.19041.1_none_69cd9c22cfcf9358\plasrv.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_10.0.19041.928_none_6a67731cf3e151f2\f\pcaui.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-ngc-trustlet_31bf3856ad364e35_10.0.19041.84_none_dd81fb99bc3b1e53\r\NgcIso.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-grpconv_31bf3856ad364e35_10.0.19041.1_none_58793261dd0b5f7a\grpconv.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..essagingcoreservice_31bf3856ad364e35_10.0.19041.1_none_98fad53f878bc04c\mqbkup.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.264_none_8bd2f5fc0c992e06\f\SearchFilterHost.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..dialoghost.appxmain_31bf3856ad364e35_10.0.19041.423_none_edab5dd3a4c202d9\r\CredDialogHost.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_wcf-smsvchost_b03f5f7f11d50a3a_10.0.19041.1_none_b4528a0bdf7b6cee\SMSvcHost.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-whoami_31bf3856ad364e35_10.0.19041.1_none_846d8bda2133af3c\whoami.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.1_none_ebe59bdc3d4ddc3f\FlashUtil_ActiveX.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.0.19041.1202_none_512e9d368c70b758\iexplore.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.746_none_790f12933fbf7e0d\tpmvscmgr.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..estartup-change-pin_31bf3856ad364e35_10.0.19041.1237_none_665f7346099d6350\r\bdechangepin.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-waitfor_31bf3856ad364e35_10.0.19041.1_none_6c56c3651a911f63\waitfor.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wimgapi_31bf3856ad364e35_10.0.19041.1202_none_fdbbcf53ca14e151\r\wimserv.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wusa_31bf3856ad364e35_10.0.19041.1151_none_21d0a68ccdc67be8\wusa.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_220320d2c4216035\TiWorker.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mdmappinstaller_31bf3856ad364e35_10.0.19041.153_none_7799fc2afae9a500\r\MDMAppInstaller.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_4.0.15805.0_none_646d7347043be71c\aspnet_regbrowsers.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-a..packagedcwalauncher_31bf3856ad364e35_10.0.19041.1_none_a37f8905d149f29b\PackagedCWALauncher.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\Microsoft.AsyncTextService.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\f\Narrator.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..tional-chinese-core_31bf3856ad364e35_10.0.19041.1_none_19c9b562d4b65581\IMTCLNWZ.EXE-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..-unifiedwritefilter_31bf3856ad364e35_10.0.19041.1266_none_110072d23cfc00d3\uwfservicingscr.scr-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-runlegacycplelevated_31bf3856ad364e35_10.0.19041.1_none_c6fd1ca194aa5c10\RunLegacyCPLElevated.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.1_none_19667e7e60cb0ccd\RdpSaProxy.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_dfsvc_b03f5f7f11d50a3a_10.0.19041.1_none_26b5e44019fe7ae2\dfsvc.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\logoff.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\UpdateNotificationMgr.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.264_none_9b436d497f039d6d\f\smartscreen.exe-	05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x000f00000002314e-5.dat	nsis_installer_2

C:\Users\Admin\AppData\Local\Temp\05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05a4eb61bea75c2d17da7605c6b98d34_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\odt\office2016setup.exe-

Filesize
6.6MB

MD5
715bbfd749d713886cb203347ae88b3c

SHA1
47cf49fd996382ba220e51c1325fb946527c024a

SHA256
ccbf9e55cec2b2a7de2ffeba000cedc1b71b4613135d5b33944db6ce9b1a78c9

SHA512
d96780ee1d60cf9a211263709b71f939ff5f27b4d7909e1bebcd6bbddc3b15d2f87f73e50f79b378092c5cf8035619938dc3ab7ee639a8c71cd06a28a1367a10

Download Submit
memory/3180-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3180-2397-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3180-4278-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3180-4279-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3180-4283-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download