2c4232609baa5297a81a2164098e8bd9d75b9b679795cf066ae1b21a3d6d7394

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 09:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
Size

40KB
MD5

3cc865f0fbc78ac91ffe424fc29d6eaf
SHA1

38b80bdd87ec23bf9f03314951c41fb62f4c226b
SHA256

2c4232609baa5297a81a2164098e8bd9d75b9b679795cf066ae1b21a3d6d7394
SHA512

721cb192c2631761f54c5d0ecdd619ce4aeb1b425697b63e77ed7e6851f7b58b4152771ef9e67008fd512c863d3f077966eee7e521fa7f222a116591112ed6d2
SSDEEP

384:OX99ixSjVyiJY6hgDFTbMSCd4E7mlqE9oEYA4dDrteZogK5EKJFvBcLfZgod5c:uixSjVfhabM14YKdggaEirclgoPc

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\esentutl.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\help.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ping.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\replace.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\systeminfo.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\tracerpt.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wsmanhttpconfig.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\dpiscaling.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\provlaunch.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\sxstrace.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\tzutil.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\useraccountcontrolsettings.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wevtutil.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\choice.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\powercfg.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\raserver.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\setup16.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\tasklist.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\logagent.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\cscript.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\dtdump.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\gamebarpresencewriter.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ime\shared\imepadsv.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\printui.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\rdpsauachelper.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\rrinstaller.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\bitsadmin.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\runlegacycplelevated.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\whoami.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\windowspowershell\v1.0\powershell.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wsmprovhost.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\shiftjis.uce	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\stordiag.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wiaacmgr.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\cloudnotifications.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\getmac.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\perfmon.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\presentationhost.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\useraccountbroker.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\cipher.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\dism\dismhost.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\icacls.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\infdefaultinstall.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\mspaint.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\netplwiz.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\schtasks.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\setx.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\dcomcnfg.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\sfc.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\rmactivate.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\newdev.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\eudcedit.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\fc.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\hdwwiz.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\unlodctr.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\appidtel.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ieunatt.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\iexpress.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\mobsync.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\relog.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\systray.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\taskmgr.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\diskperf.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\systemapps\microsoft.xboxgamecallableui_cw5n1h2txyewy\xbox.tcui.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-client-li..ing-platform-client_31bf3856ad364e35_10.0.19041.1_none_bf56a5e7532d9c79\licensingdiag.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\systemapps\microsoft.accountscontrol_cw5n1h2txyewy\accountscontrolhost.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_aspnet_compiler_b03f5f7f11d50a3a_10.0.19041.1_none_9202844cd514ab44\aspnet_compiler.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.1288_none_a518f9eb1ab503d0\f\hvix64.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\systemapps\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\secureassessmentbrowser.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_installutil_b03f5f7f11d50a3a_4.0.15805.0_none_d67d06ef0c4a2e1c\installutil.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.264_none_13222f28beaa00a7\r\vmwp.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\systemapps\microsoft.creddialoghost_cw5n1h2txyewy\creddialoghost.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_curl_31bf3856ad364e35_10.0.19041.1_none_345cbd92bc885eba\curl.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.19041.264_none_6b6699b671c8f5a8\vmcomputeagent.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.1288_none_6c70124c60e2b4ef\vmcompute.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-hns-diagnosticstool_31bf3856ad364e35_10.0.19041.423_none_841c30f68571c385\r\hnsdiag.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.264_none_0e32f443c4669fed\hvix64.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-onecore-d..ectxdatabaseupdater_31bf3856ad364e35_10.0.19041.928_none_138fb436497565f4\directxdatabaseupdater.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.264_none_1477a882bdce0df2\r\vmms.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-windows-a..eapplifetimemanager_31bf3856ad364e35_10.0.19041.746_none_45062eb997366a7f\f\remoteapplifetimemanager.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-onecore-c..periencehost-broker_31bf3856ad364e35_10.0.19041.746_none_1ce3c0f12fb5f8ec\f\cloudexperiencehostbroker.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-onecore-d..ectxdatabaseupdater_31bf3856ad364e35_10.0.19041.928_none_138fb436497565f4\r\directxdatabaseupdater.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-windows-a..atibility-assistant_31bf3856ad364e35_10.0.19041.1266_none_a88c5999d8585853\f\pcalua.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\systemapps\microsoftwindows.undockeddevkit_cw5n1h2txyewy\undockeddevkit.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-onecore-console-host-core_31bf3856ad364e35_10.0.19041.153_none_4b81b20e830f375b\conhost.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_10.0.19041.928_none_6012c8cabf808ff7\r\pcaui.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\r\hvc.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.264_none_0e32f443c4669fed\f\hvix64.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-onecore-onlinesetup-component_31bf3856ad364e35_10.0.19041.746_none_4b0a936d86cdd479\oobeldr.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-onecore-onlinesetup-component_31bf3856ad364e35_10.0.19041.746_none_4b0a936d86cdd479\windeploy.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-windows-a..atibility-assistant_31bf3856ad364e35_10.0.19041.1266_none_a88c5999d8585853\r\pcalua.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.264_none_d58a0ca50a94510c\r\vmcompute.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.1288_none_a518f9eb1ab503d0\hvax64.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-onecore-i..atedusermode-kernel_31bf3856ad364e35_10.0.19041.1023_none_5c93ef2449c89609\securekernel.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\systemapps\microsoft.bioenrollment_cw5n1h2txyewy\bioenrollmenthost.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_edmgen_b77a5c561934e089_4.0.15805.0_none_ae80a3049486a75f\edmgen.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.264_none_d58a0ca50a94510c\vmcompute.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-onecore-u..iedwritefilter-mgmt_31bf3856ad364e35_10.0.19041.1266_none_41843efc8f66bc7c\r\uwfmgr.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_10.0.19041.1_none_37f2e74a0020dc93\pcaui.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File created	C:\Windows\explorrer.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\systemapps\microsoft.aad.brokerplugin_cw5n1h2txyewy\microsoft.aad.brokerplugin.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.264_none_1477a882bdce0df2\vmms.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\inputapp\textinputhost.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.19041.1202_none_024525bdc81df50d\n\vmcomputeagent.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_jsc_b03f5f7f11d50a3a_4.0.15805.0_none_02d98290c2a0aa6b\jsc.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\systemapps\parentalcontrols_cw5n1h2txyewy\wpcuapapp.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_aspnet_regsql_b03f5f7f11d50a3a_4.0.15805.0_none_aadf84cda75da02d\aspnet_regsql.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-client-li..ing-platform-client_31bf3856ad364e35_10.0.19041.1266_none_7e2b6be969016c27\r\licensingdiag.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\systemapps\microsoft.lockapp_cw5n1h2txyewy\lockapp.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.19041.1202_none_76e6fb38a70dbd6d\gamebarpresencewriter.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.264_none_0e32f443c4669fed\hvax64.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1266_none_aa0661cc14f9fe9a\r\vmwp.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\cexecsvc.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.1288_none_a518f9eb1ab503d0\f\hvax64.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\systemapps\microsoft.windows.callingshellapp_cw5n1h2txyewy\callingshellapp.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-hns-diagnosticstool_31bf3856ad364e35_10.0.19041.423_none_841c30f68571c385\hnsdiag.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.1288_none_f92f7256107c0e35\nvspinfo.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.1288_none_a518f9eb1ab503d0\r\hvax64.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\helppane.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\systemapps\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\oobenetworkcaptiveportal.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\systemapps\windows.cbspreview_cw5n1h2txyewy\camerabarcodescannerpreview.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-onecore-onlinesetup-component_31bf3856ad364e35_10.0.19041.1_none_23025624c75c162f\oobeldr.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-onecore-u..iedwritefilter-mgmt_31bf3856ad364e35_10.0.19041.1_none_82af78fa7992ecce\uwfmgr.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.1266_none_ab5bdb26141e0be5\f\vmms.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\winsxs\amd64_microsoft-onecore-s..chservice-component_31bf3856ad364e35_10.0.19041.1266_none_2262e67641106c48\r\speechruntime.exe	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\panther\mainqueueonline0.que	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
File opened for modification	\??\c:\windows\speech_onecore\engines\tts\en-us\nusdata\m1033mark.keyboard.wve	3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2008	4536	WerFault.exe	82

C:\Users\Admin\AppData\Local\Temp\3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3cc865f0fbc78ac91ffe424fc29d6eaf_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 30992
  2⤵
  - Program crash
  PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4536 -ip 4536
1⤵
PID:4876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\camerabarcodescannerpreview.exe

Filesize
569KB

MD5
ea5822ac6eee256a55149c3c9850e795

SHA1
3c9747a33de6a7d416580b912b9203471aaa4abd

SHA256
d86da052775ccadab042490d29147655beead2078cbf17f42312d520cfe98a27

SHA512
6da5cb3163435f2b02ceacbeb50fd6b06ff7f2bed3fa92c13a85bec3c6bfabc4e42de0b884e1a0efd0b15cf9136c42b48c0ae238e90e3b123cbccc3f0798cc30

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads