8bfa1e8439e699df9dbcb38459ead1e74b99589b795895af158b7beead3b99f0

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
Size

8.7MB
MD5

ec8568311b8a3aecfe881f5b8893d0f8
SHA1

97275d9aeb21830eaab4fd715bfcc409f605ee9f
SHA256

8bfa1e8439e699df9dbcb38459ead1e74b99589b795895af158b7beead3b99f0
SHA512

37858ccedb2325920e9207ae4ab92107a0c37647229e14ddf98f06413410dc42ae57fe8353e5df4c8f66ad893ad9dca0e00bbc72bde386195cb40088a0d11a32
SSDEEP

196608:jjBxcO4jjbylQIG8hjBxcO4jjbylQIG8Xd:zQkQIG8xQkQIG8N

Score

8^/10

persistence upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Drivers\ETC\HOSTS	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Windows\system32\Drivers\ETC\HOSTS\HOSTS	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1308-0-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/files/0x0007000000023219-5.dat	upx
behavioral2/memory/1308-354-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\System Database Administration Service = "C:\\Windows\\system32\\DbTasker.exe"	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DBTASK.EXE	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dbzip2.dll	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dbexe2.dll	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LockFile.dat	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DbTasker.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DbTasker.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hal.dll	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\en-gb\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\msinfo\de-de\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\msinfo\ja-jp\Full warez download sites.html .pif	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\de\Internet Explorer 7 FULL BETA.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\hu-hu\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\cs\Full warez download sites.html .pif	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\auxpad\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\main\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\osknav\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\msinfo\it-it\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\vsto\10.0\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\da-dk\Pamela Anderson FULL VIDEO.mpg .scr	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\textconv\en-us\DVD Xcopy PRO Illegal Warez.iso .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\hwrcustomization\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\ja-jp\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\office16\office setup controller\WinAmp 5.08 FULL.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.netcore.app\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\osknav\WinAmp 5.08 FULL.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\oskpred\WinAmp 5.08 FULL.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\msinfo\de-de\DVD Xcopy PRO Illegal Warez.iso .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\triedit\en-us\WinAmp 5.08 FULL.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\vc\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\vc\Pamela Anderson FULL VIDEO.mpg .scr	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\vsto\10.0\1033\Full warez download sites.html .pif	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\ko\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fr-ca\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\cs\DVD Xcopy PRO Illegal Warez.iso .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\cs-cz\Full warez download sites.html .pif	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\el-gr\Internet Explorer 7 FULL BETA.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\vsto\10.0\1033\DVD Xcopy PRO Illegal Warez.iso .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.netcore.app\6.0.25\Internet Explorer 7 FULL BETA.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\WinAmp 5.08 FULL.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\comc:\program files\common files\microsoft shared\ink\bg-bg\NORTON Internet security 2006.rar .scr	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\vsto\10.0\Pamela Anderson FULL VIDEO.mpg .scr	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\nb-no\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\cs\Pamela Anderson FULL VIDEO.mpg .scr	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\ja\Full warez download sites.html .pif	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\zh-hans\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\sv-se\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\msinfo\it-it\Full warez download sites.html .pif	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\triedit\en-us\Playboy centerfold HOT.gif .scr	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\bg-bg\Internet Explorer 7 FULL BETA.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\textconv\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\es\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\ar-sa\Matrix Reloaded.avi .exec:\program files\common files\microsoft shared\ink\bg-bg\Matrix Reloaded.avi .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\main\Windows XP SP3 REAL VERSION.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\lv-lv\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\sk-sk\How to stop NetSky.doc .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\cs\WinAmp 5.08 FULL.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\WinTask.zip	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
928	1308	WerFault.exe	83

NTFS ADS 64 IoCs

description	ioc	Process
File created	\??\c:\pc:\program files\common files\microsoft shared\ink\es-es\WinAmp 5.08 FULL.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\8˜,c:\program files\common files\microsoft shared\ink\fsdefinitions\oskclearui\Full warez download sites.html .pif	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program fc:\program files\common files\microsoft shared\msinfo\it-it\WinAmp 5.08 FULL.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]ìvÜìdc:\program files\common files\microsoft shared\Hacking and Virus Writing for Dummies.pdf .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\cÑÈPÐädc:\program files\common files\microsoft shared\ink\fsdefinitions\oskclearui\WinRAR 4.01 Cracked BETA.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\“×ÈP`çdc:\program files\common files\microsoft shared\ink\ko-kr\WinRAR 4.01 Cracked BETA.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\pc:\progrc:\program files\common files\microsoft shared\ink\pl-pl\WinAmp 5.08 FULL.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]ìv¼çdc:\program files\dotnet\shared\microsoft.netcore.app\6.0.25\Hacking and Virus Writing for Dummies.pdf .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ .scrc:\program files\common files\microsoft shared\office16\Visual Studio .NET FULL.zip .cpl	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ c:\program files\common files\microsoft shared\vsto\10.0\Full warez download sites.html .pif	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ø{c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\zh-hans\Windows 2000.iso .com	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]ìv¼çdc:\program files\common files\microsoft shared\ink\cs-cz\Hacking and Virus Writing for Dummies.pdf .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\(ˆc:\program files\common files\microsoft shared\office16\office setup controller\Windows 2000.iso .com	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]ìv¼çdc:\program files\common files\microsoft shared\triedit\en-us\Hacking and Virus Writing for Dummies.pdf .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\c:\program files\common files\microsoft shared\clicktorun\Internet Explorer 7 FULL BETA.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ôãdc:\program files\common files\microsoft shared\ink\bg-bg\Windows XP SP3 REAL VERSION.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\€ßdc:\program files\common files\microsoft shared\ink\da-dk\Hacking for Dummies.pdf .cpl	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]ìv,ådc:\program files\common files\microsoft shared\ink\fsdefinitions\keypad\Hacking and Virus Writing for Dummies.pdf .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\h„ývc:\program files\common files\microsoft shared\ink\fsdefinitions\keypad\Pamela Anderson FULL VIDEO.mpg .scr	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\è‡c:\program files\common files\microsoft shared\ink\tr-tr\Windows 2000.iso .com	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]ìv¼çdc:\program files\common files\microsoft shared\vsto\10.0\Hacking and Virus Writing for Dummies.pdf .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\üÿÿÿc:\program files\common files\microsoft shared\NORTON Internet security 2006.rar .scr	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\Ø8c:\program files\common files\microsoft shared\ink\et-ee\Windows 2000.iso .com	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\“×ÈP`çdc:\program files\common files\microsoft shared\ink\et-ee\WinRAR 4.01 Cracked BETA.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\˜5c:\program files\common files\microsoft shared\ink\fr-fr\Windows 2000.iso .com	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\¨‰c:\program files\common files\microsoft shared\ink\nl-nl\Windows 2000.iso .com	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]ìv¼çdc:\program files\common files\microsoft shared\ink\de-de\Hacking and Virus Writing for Dummies.pdf .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\pc:\program files\common files\microsoft shared\ink\et-ee\WinAmp 5.08 FULL.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]ìv,ådc:\program files\common files\microsoft shared\ink\fsdefinitions\oskmenu\Hacking and Virus Writing for Dummies.pdf .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\“×ÈP`çdc:\program files\common files\microsoft shared\msinfo\de-de\WinRAR 4.01 Cracked BETA.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ôãdc:\program files\common files\microsoft shared\msinfo\it-it\Windows XP SP3 REAL VERSION.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program fc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\es\WinAmp 5.08 FULL.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\¨ƒc:\program files\common files\microsoft shared\ink\sl-si\Windows 2000.iso .com	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ .scrc:\program files\common files\microsoft shared\vsto\10.0\Hacking for Dummies.pdf .cpl	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ø{c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\tr\Windows 2000.iso .com	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ .exec:\program files\dotnet\shared\microsoft.netcore.app\Windows XP SP3 REAL VERSION.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ .exec:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\es\Windows XP SECRET DEVELOPER serials.txt .cmd	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\pc:\program files\common files\microsoft shared\ink\de-de\WinAmp 5.08 FULL.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]ìv¼çdc:\program files\common files\microsoft shared\ink\ja-jp\Hacking and Virus Writing for Dummies.pdf .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ÔÈPðédc:\program files\common files\microsoft shared\officesoftwareprotectionplatform\WinRAR 4.01 Cracked BETA.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]ìvLêdc:\program files\common files\microsoft shared\textconv\Hacking and Virus Writing for Dummies.pdf .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\cÑÈPÐädc:\program files\common files\microsoft shared\ink\fsdefinitions\symbols\WinRAR 4.01 Cracked BETA.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]ìv¼çdc:\program files\common files\microsoft shared\ink\lv-lv\Hacking and Virus Writing for Dummies.pdf .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]ìvLêdc:\program files\dotnet\shared\microsoft.netcore.app\Hacking and Virus Writing for Dummies.pdf .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\çc:\program files\common files\microsoft shared\ink\fsdefinitions\auxpad\Visual Studio .NET FULL.zip .cpl	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]ìv,ådc:\program files\common files\microsoft shared\ink\fsdefinitions\insert\Hacking and Virus Writing for Dummies.pdf .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\(‡c:\program files\common files\microsoft shared\ink\pt-br\Windows 2000.iso .com	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ø{c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\ja\Windows 2000.iso .com	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ÔÈPðédc:\program files\common files\microsoft shared\textconv\WinRAR 4.01 Cracked BETA.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ c:\program files\common files\microsoft shared\vsto\Full warez download sites.html .pif	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\“×ÈP`çdc:\program files\common files\microsoft shared\ink\bg-bg\WinRAR 4.01 Cracked BETA.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\ar-sa\Matrix Reloaded.avi .exec:\program files\common files\microsoft shared\ink\bg-bg\Matrix Reloaded.avi .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\pc:\program files\common files\microsoft shared\ink\es-mx\WinAmp 5.08 FULL.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\pc:\program files\common files\microsoft shared\ink\fr-ca\WinAmp 5.08 FULL.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	\??\c:\pc:\program files\common files\microsoft shared\ink\sr-latn-rs\WinAmp 5.08 FULL.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ELOPc:\program files\common files\microsoft shared\source engine\WinAmp 5.08 FULL.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]ìv,ådc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\fr\Hacking and Virus Writing for Dummies.pdf .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]ìv,ådc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\ja\Hacking and Virus Writing for Dummies.pdf .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\è†c:\program files\common files\microsoft shared\ink\ro-ro\Windows 2000.iso .com	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\“×ÈP`çdc:\program files\common files\microsoft shared\ink\ro-ro\WinRAR 4.01 Cracked BETA.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ c:\program files\common files\microsoft shared\vc\WinAmp 5.08 FULL.zip .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]ìv,ådc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\es\Hacking and Virus Writing for Dummies.pdf .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\“×ÈP`çdc:\program files\dotnet\shared\microsoft.netcore.app\6.0.25\WinRAR 4.01 Cracked BETA.exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\0,›t_c:\program files\common files\microsoft shared\clicktorun\Norton AntiVirus 2006 BETA.rar .exe	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
1308	ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec8568311b8a3aecfe881f5b8893d0f8_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 3844
  2⤵
  - Program crash
  PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1308 -ip 1308
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wkw4D2.tmp

Filesize
2.9MB

MD5
864e3098856dfb9fd804c7c6d0ac1b6c

SHA1
98dd4f941870465930412ba2af041b8abae53a0f

SHA256
da179e9739c9f2d09696bb2c1f46e275f8ea04a0dbc87f2a8ac339cb1f246403

SHA512
e11344964ceff14e0fac910c53375bb1a8cf5e834df6752efe8f13cf1c37e90bbaff09d4aca4cb925d18f75a52914834baf78096d81b91b4518f1d519c4dba66

Download Submit
memory/1308-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1308-354-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download