0cceea1035916d001e17a12db007917c20db36444e3f1143f6cc6e071f0f68be

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 04:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
Size

84KB
MD5

0c732d03a5090169ccb6ca9e67c187c7
SHA1

2c7c1220dc7f0b953362daa78fcbdfe3a0c0f2bf
SHA256

0cceea1035916d001e17a12db007917c20db36444e3f1143f6cc6e071f0f68be
SHA512

350793a21ff5420246475f22b5236b3c9d7f7263608c4eeee00309c576d00d1bc9e5d305a121099cada21ed1b33a892ea0fcd9e78baa65873497e864088c2402
SSDEEP

1536:Wjl+2lHKITkBXkH78XIiZ6RzAahSYv3u1GB80Lt9HwGgKpz:O5HKITkBXkHQYiZ8znSYvwGB80L/pXpz

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4504-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x0002000000022ae6-4.dat	upx
behavioral2/memory/4504-3340-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4504-4268-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4504-4269-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4504-4274-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gpscript.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PING.EXE-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EhStorAuthn.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\forfiles.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mountvol.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\notepad.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TsWpfWrp.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cttunesvr.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sort.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\systray.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\typeperf.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\verclsid.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chkntfs.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fontview.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\prevhost.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\setx.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dism.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\format.com	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\help.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ROUTE.EXE-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmmon32.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\takeown.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ThumbnailExtractionHost.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wsmprovhost.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dplaysvr.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\nslookup.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ReAgentc.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\setupugc.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TokenBrokerCookies.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\WMIADAP.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ttdinject.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\attrib.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fontview.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RdpSaProxy.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\runonce.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sdchange.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\srdelayed.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\credwiz.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\newdev.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\openfiles.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TSTheme.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\systeminfo.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemUWPLauncher.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\appidtel.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CloudNotifications.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\compact.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\_isdel.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mspaint.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\taskkill.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\WinMgmt.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autochk.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dialer.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iscsicpl.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\net.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pcaui.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\poqexec.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\certutil.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ComputerDefaults.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dism\DismHost.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DpiScaling.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmic.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javap.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaw.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Uninstall.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\wabmig.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javac.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmplayer.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\klist.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\pack200.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_be8a8ad4892e651d\printui.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\r\AppVDllSurrogate.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..tx-dxgiadaptercache_31bf3856ad364e35_10.0.19041.84_none_9f3e49455f52d8f7\f\dxgiadaptercache.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-displayswitch_31bf3856ad364e35_10.0.19041.1_none_a2b2be7cc3d8faf5\DisplaySwitch.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..ortingcompatibility_31bf3856ad364e35_10.0.19041.264_none_dc8146375466099a\f\DWWIN.EXE-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\poqexec.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winrsplugins_31bf3856ad364e35_10.0.19041.1081_none_8b145c40e6c6207f\winrs.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-fsutil_31bf3856ad364e35_10.0.19041.1_none_825521fc8f4a22ac\fsutil.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..ing-management-core_31bf3856ad364e35_10.0.19041.746_none_ad0ed54dd130eec3\r\DismHost.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.1202_none_23a707c9a0b5a8e1\Taskmgr.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.1266_none_eb6597ac99d11603\audiodg.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ommandline-dsdbutil_31bf3856ad364e35_10.0.19041.844_none_1d907c422e447b14\dsdbutil.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1288_none_64cb20c6329bf2bd\r\ntprint.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorQuickStart.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.84_none_42927ae06bc1dce9\f\WpcMon.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tskill.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-es-authentication_31bf3856ad364e35_10.0.19041.1_none_02027476ea57232f\EhStorAuthn.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.1_none_913591207b2aaf6f\WinRTNetMUAHostServer.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\XBox.TCUI.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dpiscaling_31bf3856ad364e35_10.0.19041.1_none_3038e0b9fa4d9cdf\DpiScaling.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..d-searchintegration_31bf3856ad364e35_10.0.19041.746_none_6e05a6bb2291b4c6\r\IMESEARCH.EXE-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\f\msinfo32.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_netfx4-aspnet_state_exe_b03f5f7f11d50a3a_4.0.15805.0_none_a7a9eea53631000d\aspnet_state.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvsystem_31bf3856ad364e35_10.0.19041.1081_none_bdf809eb2dd695f9\f\AppVClient.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.19041.1_none_21244f0b33e2b22d\PerceptionSimulationInput.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_10.0.19041.1_none_aa1fc2e87b362d12\regedit.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wimgapi_31bf3856ad364e35_10.0.19041.84_none_809ebfa242fbf368\wimserv.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..andlinepropertytool_31bf3856ad364e35_10.0.19041.844_none_f3894559140c31d7\imjpuexc.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-grouppolicy-script_31bf3856ad364e35_10.0.19041.572_none_42ec0e96ce977bdb\r\gpscript.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_multipoint-wmssvc_31bf3856ad364e35_10.0.19041.746_none_9ebd3ef9f0c794b5\f\WmsSvc.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..-disposableclientvm_31bf3856ad364e35_10.0.19041.985_none_c3639a9e3ab1a351\f\WindowsSandboxClient.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\r\UNPUXHost.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvsystem_31bf3856ad364e35_10.0.19041.1081_none_bdf809eb2dd695f9\r\AppVClient.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..omerfeedbackmanager_31bf3856ad364e35_10.0.19041.844_none_ba2b07b5ed02761a\r\imecfmui.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..scannerpreview-host_31bf3856ad364e35_10.0.19041.546_none_70569b662ddb706c\f\CameraBarcodeScannerPreview.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\explorer.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.84_none_8a067925a612632c\f\ApproveChildRequest.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..screencontentserver_31bf3856ad364e35_10.0.19041.746_none_e540b68b09558f5a\r\LockScreenContentServer.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1_none_b0493212512a7f1a\ntprint.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_netfx35linq-vb_compiler_orcas_31bf3856ad364e35_10.0.19041.1_none_efd4c696d660bdad\vbc.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-filehistory-ui_31bf3856ad364e35_10.0.19041.746_none_2c2bcd67e9d4665c\FileHistory.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_security-octagon-broker_31bf3856ad364e35_10.0.19041.84_none_51ae5c25baf813ff\SgrmLpac.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_wcf-m_sm_cfg_ins_exe_31bf3856ad364e35_10.0.19041.1_none_59f3ce100425ffb0\SMConfigInstaller.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..agement-coredpussvr_31bf3856ad364e35_10.0.19041.746_none_7946fb11bf19dc87\coredpussvr.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-blb-engine-main_31bf3856ad364e35_10.0.19041.746_none_c1db40c45e8f2d9e\f\wbengine.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_10.0.19041.746_none_69061189792bce34\r\cmd.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.1266_none_8f272afdd624490f\sppsvc.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_49716c2392052aca\logman.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmpdmc-ux_31bf3856ad364e35_10.0.19041.746_none_cc5cbb9556301da3\WMPDMC.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-lsatrustlet_31bf3856ad364e35_10.0.19041.1_none_9a8a77811e17322b\LsaIso.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_38869341091832be\r\mofcomp.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..b-standardcollector_31bf3856ad364e35_10.0.19041.928_none_0f531ea0d233243b\f\DiagnosticsHub.StandardCollector.Service.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\f\ShapeCollector.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wifinetworkmanager_31bf3856ad364e35_10.0.19041.1202_none_e17f082b30dd9027\f\wifitask.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_multipoint-wmsselfhealingsvc_31bf3856ad364e35_10.0.19041.746_none_59e1ce71631fef8f\r\WmsSelfHealingSvc.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..s-mdac-odbcconf-exe_31bf3856ad364e35_10.0.19041.1_none_c367e800917abc7d\odbcconf.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.84_none_ffbdc333a0778274\hvsimgr.exe-	0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c732d03a5090169ccb6ca9e67c187c7_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
629KB

MD5
196e83096e91ad63817f542f64f97f63

SHA1
0d066154e94799c0354f64fd0f3533e9cb8c33bf

SHA256
5929499429a7bcb65af3e7f27f04cffd78770ffd88d746948a20882616046de2

SHA512
e46c1ed25494e8bb666bea3684fcacddc775c34fc774abf729f115549cc48abbc7692f66c53c82299686c0430a442df4821e9cc2205b6ff5252f586b6d2b344c

Download Submit
memory/4504-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4504-3340-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4504-4268-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4504-4269-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4504-4274-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download