09a2abf5ee6e6e68e7b16d315c00295d8cce34f987a8fbdc83dfe1b8f0853337

Analysis

max time kernel
144s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 05:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
Size

58KB
MD5

7728703c4860fed73a7a1104f46941fd
SHA1

1a4b23898ed1fc5b1e3e772faee7dc2fb46eb447
SHA256

09a2abf5ee6e6e68e7b16d315c00295d8cce34f987a8fbdc83dfe1b8f0853337
SHA512

9ddc72a1773176af71c2057892623b4b55911c824dfc59686d84f29a6004232335b1b04fca69c78760e455ded55a546a1f0796cbe47accd35a889703335d09c6
SSDEEP

768:W9BlZMP2l2wQ095aITkBXkVHZZSq0vGmme6TAaS2RSePH:Wjl+2lHKITkBXkHZwq0gTAahSYH

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4984-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x000900000002342d-5.dat	upx
behavioral2/memory/4984-3255-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4984-4268-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4984-4269-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4984-4274-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\choice.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\colorcpl.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMETC\IMTCLNWZ.EXE	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\systray.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\printui.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasdial.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesProtection.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TSTheme.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dfrgui.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dialer.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fltMC.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mspaint.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\WMIADAP.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\WMIADAP.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrshost.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\getmac.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sdchange.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wscadminui.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesProtection.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tasklist.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cleanmgr.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fsquirt.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\perfmon.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\makecab.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\newdev.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\printui.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TpmInit.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tracerpt.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chkdsk.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\recover.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmstp.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TRACERT.EXE	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\waitfor.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wscadminui.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InputSwitchToastHandler.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RunLegacyCPLElevated.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\waitfor.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wowreg32.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AtBroker.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cttunesvr.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EaseOfAccessDialog.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ieUnatt.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\shrpubw.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bitsadmin.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ctfmon.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RpcPing.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\secinit.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\odbcad32.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\perfmon.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rrinstaller.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CloudNotifications.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmmon32.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iscsicli.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\newdev.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wusa.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ByteCodeGenerator.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\credwiz.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllhost.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\extrac32.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chcp.com	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javac.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmlaunch.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7z.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\dotnet\dotnet.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\nacl_irt_x86_64.nexe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.41\MicrosoftEdgeUpdate.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\nacl_irt_x86_64.nexe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jjs.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpconfig.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Mail\wabmig.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Uninstall.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-analog-facefodhandler_31bf3856ad364e35_10.0.19041.1_none_604b329da953cf68\FaceFodUninstaller.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ie-setup-support_31bf3856ad364e35_11.0.19041.1081_none_7e66aef13d0cb227\f\ie4uinit.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.1_none_d1fafd8eeb2a2637\SpeechUXWiz.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..client-decoder-host_31bf3856ad364e35_10.0.19041.207_none_00b5dbdfab19326f\f\UtcDecoderHost.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-photoscreensaver_31bf3856ad364e35_10.0.19041.746_none_eda92e20fee7d318\f\PhotoScreensaver.scr-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SecureAssessmentBrowser.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..switch-toasthandler_31bf3856ad364e35_10.0.19041.746_none_a89196e695076787\r\InputSwitchToastHandler.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1060d2d22df7c6eb\r\WWAHost.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-capturepicker.appxmain_31bf3856ad364e35_10.0.19041.423_none_12ca604b48f8d3fb\r\CapturePicker.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\r\tttracer.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\wmpshare.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-robocopy_31bf3856ad364e35_10.0.19041.1266_none_4621ad58d5f654dd\Robocopy.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\query.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.264_none_4de8bd849baaa96f\WerFault.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-oobe-machine_31bf3856ad364e35_10.0.19041.1266_none_82441dbab862ff6a\f\msoobe.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.84_none_9d98e005fb7852ca\SecurityHealthHost.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ttings-removedevice_31bf3856ad364e35_10.0.19041.746_none_915a78ef54321214\f\SystemSettingsRemoveDevice.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.1_none_1a55178fad503598\tttracer.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.19041.1165_none_a82485b8f343811f\f\WaaSMedicAgent.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57\f\svchost.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_aspnet_regbrowsers_b03f5f7f11d50a3a_10.0.19041.1_none_ca50a32caa12ab10\aspnet_regbrowsers.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\r\InputPersonalization.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\f\taskhostw.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.19041.1288_none_1cec63974464878f\MsSense.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1266_none_1befc89391e44c23\convert.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-alg_31bf3856ad364e35_10.0.19041.746_none_86e29cecb9edce01\f\alg.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bcdboot-cmdlinetool_31bf3856ad364e35_10.0.19041.1237_none_d618a074f3588a53\f\bcdboot.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-certificateinstall_31bf3856ad364e35_10.0.19041.1_none_efa641d58a943e71\dmcertinst.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-deviceenroller_31bf3856ad364e35_10.0.19041.1202_none_36057e94c281704a\DeviceEnroller.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-magnify_31bf3856ad364e35_10.0.19041.1266_none_e2f3aaf24de135ec\f\Magnify.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-cpl_31bf3856ad364e35_10.0.19041.1202_none_cc46843e404eb749\f\BitLockerWizardElev.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_02ef1556ab50e6d8\wab.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.19041.264_none_911b6d2a51481d59\mavinject.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-r..sistance-dcomserver_31bf3856ad364e35_10.0.19041.1110_none_a4bfcaa32abfcf0e\r\raserver.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-speechcommonnoia64_31bf3856ad364e35_10.0.19041.1_none_b89a948362edb3e7\sapisvr.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_multipoint-wmssessionagent_31bf3856ad364e35_10.0.19041.746_none_7f157730d01dcdae\r\WmsSessionAgent.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.1_none_5106d54a804dbfc3\immersivetpmvscmgrsvr.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-unlock_31bf3856ad364e35_10.0.19041.1_none_1a86be89cbd66ed2\bdeunlock.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.1266_none_1abb9653828c3f41\f\SecurityHealthHost.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.153_none_c8fbed52dad932cb\systemreset.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_49716c2392052aca\r\tracerpt.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.1081_none_e4e5027bf1e82209\f\WerFaultSecure.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.1_none_c780234a16dfd399\TabTip.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..te-musnotifyiconexe_31bf3856ad364e35_10.0.19041.153_none_1721bd4ad34c0544\MusNotifyIcon.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\r\TpmTool.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..l-systemuwplauncher_31bf3856ad364e35_10.0.19041.746_none_e304dcaa2490f61c\SystemUWPLauncher.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\r\UpdateNotificationMgr.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_f89a6b0476f024dd\wabmig.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\winhlp32.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-com-dtc-runtime_31bf3856ad364e35_10.0.19041.1_none_cf441068ff6081fd\msdtc.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.1202_none_fd57358454385601\CustomShellHost.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.1_none_65c819c8f144c1f4\msdt.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..d-searchintegration_31bf3856ad364e35_10.0.19041.746_none_63b0fc68ee30f2cb\r\IMESEARCH.EXE-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.546_none_470f45b46101edfb\powershell.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-coresystem-wpr_31bf3856ad364e35_10.0.19041.207_none_4054ef70f69f6ff9\r\wpr.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-commandline-dsacls_31bf3856ad364e35_10.0.19041.1_none_ff0c3fa49f6aa0fe\dsacls.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\r\UIMgrBroker.exe-	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7728703c4860fed73a7a1104f46941fd_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe-

Filesize
603KB

MD5
b59d02a16447fa95de2ea1bb48314c1f

SHA1
f97021d43cfc753d65b49df4a56456d274e8a1ca

SHA256
18c599d4b4c926e3dd02ec19908d7e89c74a3aebdf416f9e373ba6d4f0634eb7

SHA512
8dadf366dbaa39025f3a6cff72c0bbefed8076dead97ddb4833aed4110b1a43af12e76fb8bfc7deec2d769fd76325e7cd2614f6f9c8a317e79343d94407d15e1

Download Submit
memory/4984-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4984-3255-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4984-4268-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4984-4269-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4984-4274-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download