3c0a1e0827693b8c054762a6bc054a80cffb661bdbbe8af65c6b860565a13e42

Analysis

max time kernel
137s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
Size

90KB
MD5

72ee0ac1e129b5099e76380302dd3e52
SHA1

4a8f645f4dab1e7ec2b53fb7b65508adff5c6be9
SHA256

3c0a1e0827693b8c054762a6bc054a80cffb661bdbbe8af65c6b860565a13e42
SHA512

ff862035f92092eb5dcc4bcc88065e56c48f50f52102870ac9da455a64a5243a0abb56dadb985902f729eddc042d2e628126c184cf35e183e84cbe569f3ae8fc
SSDEEP

1536:Wjl+2lHKITkBXkHZwY3u1GyiF47b3c5y/rcBshrDCifRa1xty5PJiXWNaoAoJ:O5HKITkBXkHZwYwGyiFucOcSrum5xi3E

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3592-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x000900000002343e-5.dat	upx
behavioral2/memory/3592-1494-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3592-4273-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3592-4274-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3592-4275-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3592-4276-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3592-4280-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bthudtask.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EhStorAuthn.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\regsvr32.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\WMIC.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Msdtc\Trace\msdtcvtr.bat-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\psr.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tree.com	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\grpconv.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ipconfig.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ipconfig.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TpmInit.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bootcfg.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CertEnrollCtrl.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\find.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PkgMgr.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\printui.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate_ssp.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svchost.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\agentactivationruntimestarter.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PhotoScreensaver.scr-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GameBarPresenceWriter.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\regedt32.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tasklist.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllhst3g.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fixmapi.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\forfiles.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LaunchTM.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\upnpcont.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\UserAccountControlSettings.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wscript.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CloudNotifications.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DpiScaling.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\forfiles.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpscript.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\icacls.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mmc.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\proquota.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\takeown.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wusa.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autofmt.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chkdsk.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\edpnotify.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpresult.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\grpconv.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\setup16.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesProtection.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\mofcomp.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WSManHTTPConfig.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mmc.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Utilman.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\instnm.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrshost.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bitsadmin.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eudcedit.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fontdrvhost.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\netiougc.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ntprint.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SearchIndexer.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sort.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SyncHost.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmd.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\label.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\iediagcmd.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\klist.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmlaunch.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.41\MicrosoftEdgeUpdateOnDemand.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\misc.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javah.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstat.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaws.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\keytool.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\pack200.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_10.0.19041.1_none_233543e4fce957ae\cleanmgr.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..-mdmdiagnosticstool_31bf3856ad364e35_10.0.19041.1023_none_d3d892f3280079d7\MdmDiagnosticsTool.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..otocol-host-service_31bf3856ad364e35_10.0.19041.1_none_403af5649d7b9685\Eap3Host.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-fsutil_31bf3856ad364e35_10.0.19041.1_none_8ca9cc4ec3aae4a7\fsutil.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-metabase_31bf3856ad364e35_10.0.19041.906_none_1756861d80a1f0f5\inetinfo.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.264_none_8adc8bd8b75d383f\UNPUXHost.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-cloudnotifications_31bf3856ad364e35_10.0.19041.746_none_7a559100246cff2b\CloudNotifications.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-console-host-core_31bf3856ad364e35_10.0.19041.1288_none_e25de9f9d964cdad\r\conhost.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-com-surrogate_31bf3856ad364e35_10.0.19041.1_none_0469a68bc74049ec\dllhst3g.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\f\hvsimgr.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ices-appcompattools_31bf3856ad364e35_10.0.19041.1_none_a9109d150b1bf064\TSMKUDIR.CMD-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_netfx4-ngen_exe_b03f5f7f11d50a3a_4.0.15805.0_none_b2fd45ddd475eb50\ngen.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\write.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\SyncAppvPublishingServer.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bcdboot-cmdlinetool_31bf3856ad364e35_10.0.19041.1_none_1746f218dd81ed09\bcdboot.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-browser-brokers_31bf3856ad364e35_11.0.19041.746_none_581ccf386ba57d51\browserexport.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-whoami_31bf3856ad364e35_10.0.19041.1_none_846d8bda2133af3c\whoami.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_2e31e8eed4b770c3\f\unsecapp.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\r\ndadmin.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\f\tttracer.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-proximityuxhost_31bf3856ad364e35_10.0.19041.746_none_72f50b15ab3c2aeb\f\ProximityUxHost.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_10.0.19041.1202_none_d081cba554088913\f\slui.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winlogon-tools_31bf3856ad364e35_10.0.19041.1_none_4a6487592c595dd4\mpnotify.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\r\upnpcont.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cttune_31bf3856ad364e35_10.0.19041.1_none_697599f55de29ec6\cttune.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.264_none_4de8bd849baaa96f\f\WerFault.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.1266_none_bfb5312df2d5c960\WpcMon.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-isoburn_31bf3856ad364e35_10.0.19041.746_none_680d56683fad152b\r\isoburn.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\UndockedDevKit.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..resentationsettings_31bf3856ad364e35_10.0.19041.1_none_2318682da2c7a3ea\PresentationSettings.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\r\BackgroundTransferHost.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_10.0.19041.1202_none_d081cba554088913\slui.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_10.0.19041.1202_none_574a25a5ee347454\r\memtest.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-robocopy_31bf3856ad364e35_10.0.19041.1266_none_4621ad58d5f654dd\f\Robocopy.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.264_none_87b4b95ab967b582\r\fontdrvhost.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_multipoint-wmsdashboard_31bf3856ad364e35_10.0.19041.1_none_061d84508b376f80\WmsDashboard.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rasclienttools_31bf3856ad364e35_10.0.19041.1266_none_e40ca34e5de298c9\f\rasdial.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1081_none_ae0369bc9fe47e6c\appidtel.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-csvde_31bf3856ad364e35_10.0.19041.1_none_b5109d57c984cfcc\csvde.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_addinprocess32_b77a5c561934e089_10.0.19041.1_none_3700bdc08c446a5c\AddInProcess32.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..deploymentmgrclient_31bf3856ad364e35_10.0.19041.1202_none_c26e06f4b82585b5\dmclient.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..nt-enrollmenthelper_31bf3856ad364e35_10.0.19041.1_none_f0bba0af1c8d1f56\PinEnrollmentBroker.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..sktop.appxmain.root_31bf3856ad364e35_10.0.19041.264_none_a71c9f7fdcd899c5\r\SearchApp.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_3f7ee0a8ee28ef7d\f\netiougc.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.19041.1288_none_23aa03725ec9354a\r\wuauclt.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-metabase_31bf3856ad364e35_10.0.19041.1_none_ef230558c150a821\inetinfo.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.1_none_3451e3c68828f3da\smss.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\UpdateNotificationMgr.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-attrib_31bf3856ad364e35_10.0.19041.1_none_72d3d2875ff2c886\attrib.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1023_none_2cd9cc4237e09b91\r\PickerHost.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..ommandline-dsdbutil_31bf3856ad364e35_10.0.19041.844_none_c171e0be75e709de\r\dsdbutil.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1288_none_71734bf99a2a6955\UevAgentPolicyGenerator.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-csrss_31bf3856ad364e35_10.0.19041.546_none_36dd2ad842e4f8c3\r\csrss.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mdmagent_31bf3856ad364e35_10.0.19041.1266_none_b9c280a4d350d170\r\MDMAgent.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_regsvcs_b03f5f7f11d50a3a_4.0.15805.0_none_4534bcdd53211170\RegSvcs.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.1_none_d01fb68c391167d9\rasautou.exe-	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72ee0ac1e129b5099e76380302dd3e52_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe-

Filesize
634KB

MD5
becff8b50481e25db4e14c4002682e96

SHA1
c7054f2158ed93de28fb54d2aef9403541c717e1

SHA256
acbfbfd1af9427dca1b6ed8a9edbe321e9ff56dbd944e90c59d11ae503da8baf

SHA512
bf88886a6540ce862524949c8182db6cb7f75e7f66790c308b3b3e6ee8806a8170028fc6094bca9039f4db0be4f7c8c97e3f2e5a59f36e653a09c0010dbaa019

Download Submit
memory/3592-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3592-1494-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3592-4273-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3592-4274-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3592-4275-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3592-4276-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3592-4280-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download