a63630d5693aa0df2d41847b2c6ad6c91e7a21fdf53ca39246acaafa9f649c14

Analysis

max time kernel
128s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
Size

7.2MB
MD5

ff6228357aedc5a2486c7e4c48bd5e62
SHA1

61e1bca85d5d25e9d54b221608f24e374107ec1a
SHA256

a63630d5693aa0df2d41847b2c6ad6c91e7a21fdf53ca39246acaafa9f649c14
SHA512

9bfb209f312972aeda7a2af1421b06cff4783ad2a3ea1c32c039a55e32cae62a2a8eb52b962a6a264fd0ec7a015e0b33f4ee0b038ebbb8dcae021aa3e13e2e60
SSDEEP

98304:jjBxcO4EYTjigxC9Y5lpuG8RNay091BAGUoq2VjnmL:jjBxcO4jjSQIG8WyizUGnQ

Score

8^/10

persistence upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Drivers\ETC\HOSTS	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Windows\system32\Drivers\ETC\HOSTS\HOSTS	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2760-0-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/files/0x0008000000023445-5.dat	upx
behavioral2/memory/2760-650-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\System Database Administration Service = "C:\\Windows\\system32\\DbTasker.exe"	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DbTasker.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hal.dll	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DBTASK.EXE	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dbzip2.dll	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dbexe2.dll	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LockFile.dat	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DbTasker.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\cs-cz\Full warez download sites.html .pif	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\auxpad\DVD Xcopy PRO Illegal Warez.iso .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.27\fr\Pamela Anderson FULL VIDEO.mpg .scr	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\et-ee\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\el-gr\Full warez download sites.html .pif	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\nb-no\Windows 2000.iso .com	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\lv-lv\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\office16\office setup controller\Playboy centerfold HOT.gif .scr	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.27\pt-br\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\triedit\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.netcore.app\6.0.27\Playboy centerfold HOT.gif .scr	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\m0ædc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.27\es\WinAmp 5.08 FULL.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\en-gb\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fi-fi\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\main\Windows XP SP3 REAL VERSION.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\oskclearui\Windows XP SP3 REAL VERSION.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\Visual Studio .NET FULL.zip .cpl	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\cs-cz\WinAmp 5.08 FULL.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\el-gr\Internet Explorer 7 FULL BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\es-mx\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\main\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\sl-si\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\ar-sa\Playboy centerfold HOT.gif .scr	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\m0ædc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.27\tr\WinAmp 5.08 FULL.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\zh-tw\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\stationery\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.27\ja\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\th-th\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\msinfo\de-de\Playboy centerfold HOT.gif .scr	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\office16\office setup controller\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\msinfo\es-es\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.27\cs\Internet Explorer 7 FULL BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.27\cs\Playboy centerfold HOT.gif .scr	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.27\es\Pamela Anderson FULL VIDEO.mpg .scr	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\m0ædc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.27\pt-br\WinAmp 5.08 FULL.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\keypad\WinAmp 5.08 FULL.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\ro-ro\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\textconv\en-us\DVD Xcopy PRO Illegal Warez.iso .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\triedit\en-us\Windows XP SP3 REAL VERSION.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\vsto\10.0\Windows 2000.iso .com	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\microsoft.netcore.app\6.0.27\WinAmp 5.08 FULL.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\languagemodel\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\msinfo\de-de\Windows 2000.iso .com	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\cs-cz\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\pt-pt\How to stop NetSky.doc .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\tr-tr\WinAmp 5.08 FULL.zip KÓEG×Eædc:\program files\common files\microsoft shared\ink\zh-tw\WinAmp 5.08 FULL.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\vsto\Pamela Anderson FULL VIDEO.mpg .scr	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\WinTask.zip	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5040	2760	WerFault.exe	86

NTFS ADS 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\ŸÕE`çdc:\program files\common files\microsoft shared\msinfo\it-it\WinRAR 4.01 Cracked BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ÖEðédc:\program files\common files\microsoft shared\vsto\WinRAR 4.01 Cracked BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\„ædc:\program files\common files\microsoft shared\vsto\Windows XP SP3 REAL VERSION.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ .pifc:\program files\common files\microsoft shared\vsto\Internet Explorer 7 FULL BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\oÓEÐädc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.27\cs\WinRAR 4.01 Cracked BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ŸÕE`çdc:\program files\common files\microsoft shared\ink\de-de\WinRAR 4.01 Cracked BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]Kv¼çdc:\program files\common files\microsoft shared\ink\ja-jp\Hacking and Virus Writing for Dummies.pdf .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ÖEðédc:\program files\common files\microsoft shared\stationery\WinRAR 4.01 Cracked BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ .scrc:\program files\common files\microsoft shared\textconv\Visual Studio .NET FULL.zip .cpl	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\oÓEÐädc:\program files\common files\microsoft shared\vsto\10.0\1033\WinRAR 4.01 Cracked BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]KvÜìdc:\program files\common files\microsoft shared\Hacking and Virus Writing for Dummies.pdf .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\FULL.zip .exec:\program files\common files\microsoft shared\Windows XP SP3 REAL VERSION.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program fFc:\program files\common files\microsoft shared\ink\da-dk\WinAmp 5.08 FULL.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]Kv¼çdc:\program files\common files\microsoft shared\ink\tr-tr\Hacking and Virus Writing for Dummies.pdf .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ c:\program files\common files\microsoft shared\vsto\10.0\Full warez download sites.html .pif	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ .cmdc:\program files\dotnet\shared\microsoft.netcore.app\8.0.2c:\program files\dotnet\shared\microsoft.netcore.app\8.0.2\Kazaa Lite 2005 Edition.rar .pif	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ôãdc:\program files\common files\microsoft shared\vsto\10.0\Windows XP SP3 REAL VERSION.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]Kv¼çdc:\program files\dotnet\shared\microsoft.netcore.app\7.0.16\Hacking and Virus Writing for Dummies.pdf .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\dádc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.27\cs\Windows XP SP3 REAL VERSION.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ec:\program files\common files\microsoft shared\ink\ar-sa\Windows XP SECRET DEVELOPER serials.txt .cmd	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]Kv¼çdc:\program files\common files\microsoft shared\ink\cs-cz\Hacking and Virus Writing for Dummies.pdf .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ÀŸ4c:\program files\common files\microsoft shared\ink\ro-ro\Windows 2000.iso .com	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ .exec:\program files\common files\microsoft shared\textconv\Pamela Anderson FULL VIDEO.mpg .scr	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ŸÕE`çdc:\program files\common files\microsoft shared\triedit\en-us\WinRAR 4.01 Cracked BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]KvLêdc:\program files\common files\microsoft shared\vgx\Hacking and Virus Writing for Dummies.pdf .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ c:\program files\dotnet\shared\microsoft.netcore.app\Full warez download sites.html .pif	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]Kv,ådc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.27\tr\Hacking and Virus Writing for Dummies.pdf .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program fFc:\program files\common files\microsoft shared\ink\fr-fr\WinAmp 5.08 FULL.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\0,}ušc:\program files\common files\microsoft shared\clicktorun\Norton AntiVirus 2006 BETA.rar .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]Kv¼çdc:\program files\common files\microsoft shared\ink\ru-ru\Hacking and Virus Writing for Dummies.pdf .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ôãdc:\program files\common files\microsoft shared\msinfo\de-de\Windows XP SP3 REAL VERSION.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]Kv¼çdc:\program files\common files\microsoft shared\vsto\10.0\Hacking and Virus Writing for Dummies.pdf .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\@ Ÿ4c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.27\pl\Windows 2000.iso .com	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]Kv,ådc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.27\zh-hant\Hacking and Virus Writing for Dummies.pdf .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\oÓEÐädc:\program files\common files\microsoft shared\ink\fsdefinitions\oskclearui\WinRAR 4.01 Cracked BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program fFc:\program files\common files\microsoft shared\ink\ja-jp\WinAmp 5.08 FULL.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]KvLêdc:\program files\common files\microsoft shared\vsto\Hacking and Virus Writing for Dummies.pdf .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\@Ÿ4c:\program files\common files\microsoft shared\ink\fsdefinitions\auxpad\Windows 2000.iso .com	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\oÓEÐädc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.27\de\WinRAR 4.01 Cracked BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ŸÕE`çdc:\program files\common files\microsoft shared\ink\nb-no\WinRAR 4.01 Cracked BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\¸ò•c:\program files\common files\microsoft shared\ink\fr-fr\Windows 2000.iso .com	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ÀŸ4c:\program files\common files\microsoft shared\ink\languagemodel\Windows 2000.iso .com	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ôãdc:\program files\common files\microsoft shared\msinfo\fr-fr\Windows XP SP3 REAL VERSION.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ÀŸ4c:\program files\common files\microsoft shared\msinfo\ja-jp\Windows 2000.iso .com	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ÀŸ4c:\program files\common files\microsoft shared\msinfo\uk-ua\Windows 2000.iso .com	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ .exec:\program files\common files\microsoft shared\textconv\WinAmp 5.08 FULL.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\øî•c:\program files\common files\microsoft shared\ink\cs-cz\Windows 2000.iso .com	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]Kv¼çdc:\program files\common files\microsoft shared\ink\hwrcustomization\Hacking and Virus Writing for Dummies.pdf .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\€Ÿ4c:\program files\common files\microsoft shared\ink\sv-se\Windows 2000.iso .com	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\oÓEÐädc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.27\es\WinRAR 4.01 Cracked BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ôãdc:\program files\common files\microsoft shared\ink\da-dk\Windows XP SP3 REAL VERSION.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ŸÕE`çdc:\program files\common files\microsoft shared\ink\zh-cn\WinRAR 4.01 Cracked BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\à—c:\program files\common files\microsoft shared\clicktorun\Kazaa Lite 2005 Edition.rar .pif	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ŸÕE`çdc:\program files\common files\microsoft shared\ink\el-gr\WinRAR 4.01 Cracked BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	\??\c:\program files\dotnet\shared\m0ædc:\program files\dotnet\shared\microsoft.windowsdÛîE×ÒEˆãdc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.27\ja\WinAmp 5.08 FULL.zip .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]Kv¼çdc:\program files\common files\microsoft shared\ink\sk-sk\Hacking and Virus Writing for Dummies.pdf .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ .pifc:\program files\common files\microsoft shared\textconv\Internet Explorer 7 FULL BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\@ Ÿ4c:\program files\dotnet\shared\microsoft.netcore.app\7.0.16\Windows 2000.iso .com	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\¸ò•c:\program files\common files\microsoft shared\ink\es-es\Windows 2000.iso .com	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]Kv¼çdc:\program files\common files\microsoft shared\ink\fsdefinitions\Hacking and Virus Writing for Dummies.pdf .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ŸÕE`çdc:\program files\common files\microsoft shared\ink\he-il\WinRAR 4.01 Cracked BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]Kv¼çdc:\program files\common files\microsoft shared\ink\ko-kr\Hacking and Virus Writing for Dummies.pdf .exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ŸÕE`çdc:\program files\common files\microsoft shared\ink\pt-br\WinRAR 4.01 Cracked BETA.exe	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\ÀŸ4c:\program files\common files\microsoft shared\ink\tr-tr\Windows 2000.iso .com	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
2760	ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff6228357aedc5a2486c7e4c48bd5e62_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 4828
  2⤵
  - Program crash
  PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2760 -ip 2760
1⤵
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wkw4D2.tmp

Filesize
576KB

MD5
f26404c2df2cbe17f32e431868026f29

SHA1
7ba2bf5779cbcb157623271d0ffe28fb755d3f1a

SHA256
a39209fa8d05ceb15d9ac0aa9b79d2d5335c854dc148d039fc7d6d1a9f3a6b32

SHA512
ecd19631c737eca3f85c90e84d4b9fca689c8fe94cd3f581541c55545c50ea04cd02eb4a04792fd8c451dabe7e80ab5b34b0206ab3276d8ff2ef5882a0e57d56

Download Submit
memory/2760-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2760-650-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download