f6c0f7829324039c3ccbd79080038b43ce712b6bdd6c5925a22a963da3e6482d

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
Size

4.8MB
MD5

0020890a6fd2b80f5dbad4c031bf41a7
SHA1

78755049b701a8995b11c7c8caf0dfd3523f364a
SHA256

f6c0f7829324039c3ccbd79080038b43ce712b6bdd6c5925a22a963da3e6482d
SHA512

f653d0dca0ebdab688d752516de148e53ca8530cb37cedd10fc9dda67b4c7b86c30772ce2d826b278b073cf0944425909a2a0ccbf712b1a8fe8f6c37804b85ac
SSDEEP

49152:X/dvDllJVHgOGfAVHgOGfdBM+JnwSN2QVHgOGf:VvDllvHgObHgOETww2UHgO

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\certutil.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate_ssp_isv.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wscript.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autochk.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpresult.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\help.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ieUnatt.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\odbcad32.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PickerHost.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\calc.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chkdsk.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mspaint.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\openfiles.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tttracer.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lodctr.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\WMIC.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wextract.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WerFault.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrshost.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autoconv.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\backgroundTaskHost.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllhst3g.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DWWIN.EXE	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dxdiag.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RmClient.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bitsadmin.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DpiScaling.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\raserver.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ReAgentc.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sort.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InputSwitchToastHandler.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xwizard.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DevicePairingWizard.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iexpress.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ipconfig.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\where.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\agentactivationruntimestarter.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dvdplay.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\efsui.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SecEdit.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\UserAccountBroker.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cscript.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EaseOfAccessDialog.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eventvwr.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Fondue.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Netplwiz.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate_ssp.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wevtutil.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mobsync.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msdt.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmdl32.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dpapimig.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fontdrvhost.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpupdate.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\SHARED\IMESEARCH.EXE	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iscsicli.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WWAHost.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\quickassist.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasdial.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\schtasks.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-embedded-shelllauncher_31bf3856ad364e35_10.0.19041.264_none_223a5768a6257099\CustomShellHost.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\AppVShNotify.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1081_none_5500d10e49b43346\ByteCodeGenerator.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.264_none_40d14f6c04397868\agentactivationruntimestarter.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.19041.1266_none_07a5d18b92d8b668\r\cmimageworker.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..b-standardcollector_31bf3856ad364e35_10.0.19041.264_none_0f23d07ed2574292\DiagnosticsHub.StandardCollector.Service.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.1288_none_a518f9eb1ab503d0\f\hvix64.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvsystem_31bf3856ad364e35_10.0.19041.1081_none_bdf809eb2dd695f9\r\AppVClient.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.173_none_38fc88f8cb913df1\r\winresume.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-analog-facefodhandler_31bf3856ad364e35_10.0.19041.1266_none_1f1ff89fbf279f16\FaceFodUninstaller.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devicecensus_31bf3856ad364e35_10.0.19041.1202_none_24329c73afbd2316\r\DeviceCensus.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-deviceenroller_31bf3856ad364e35_10.0.19041.1202_none_36057e94c281704a\f\DeviceEnroller.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..-mdmdiagnosticstool_31bf3856ad364e35_10.0.19041.1023_none_d3d892f3280079d7\MdmDiagnosticsTool.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..alenrollmentmanager_31bf3856ad364e35_10.0.19041.1202_none_1a780ff3456b7bcd\f\CredentialEnrollmentManager.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..scannerpreview-host_31bf3856ad364e35_10.0.19041.1_none_484e61e96e69ac70\CameraBarcodeScannerPreview.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ecapp.appxmain_31bf3856ad364e35_10.0.19041.746_none_db09942beaf4fdfa\Microsoft.ECApp.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.264_none_87b4b95ab967b582\fontdrvhost.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\Microsoft.AsyncTextService.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\f\hvc.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_10.0.19041.906_none_198d8d483aa30ed0\gpupdate.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-compact_31bf3856ad364e35_10.0.19041.1_none_afe6484e54f00fd0\compact.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\ImeBroker.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\f\hvsiproxyapp.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\ScreenClippingHost.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_bsdtar_31bf3856ad364e35_10.0.19041.1_none_0c1f19c50b5e5f6e\tar.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_curl_31bf3856ad364e35_10.0.19041.1_none_345cbd92bc885eba\curl.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.1288_none_6c70124c60e2b4ef\vmcompute.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-onlinesetup-component_31bf3856ad364e35_10.0.19041.746_none_4b0a936d86cdd479\f\oobeldr.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.746_none_56f2f7338735a9a6\r\FXSCOVER.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.19041.1202_none_76e6fb38a70dbd6d\GameBarPresenceWriter.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.1288_none_a518f9eb1ab503d0\r\hvax64.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.264_none_5481650943811810\f\SpatialAudioLicenseSrv.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-csrss_31bf3856ad364e35_10.0.19041.546_none_36dd2ad842e4f8c3\csrss.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.19041.1081_none_955497efbb030cb9\r\wermgr.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.1266_none_eb6597ac99d11603\SpatialAudioLicenseSrv.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_10.0.19041.1266_none_e20a09e712bd275c\r\cleanmgr.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-diskraid_31bf3856ad364e35_10.0.19041.1_none_1b7ab1943757b81e\diskraid.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.1081_none_e4e5027bf1e82209\r\WerFault.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_hyperv-vmsp_31bf3856ad364e35_10.0.19041.1_none_39d506065bd87607\vmsp.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\AppVNice.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ing-management-core_31bf3856ad364e35_10.0.19041.746_none_092d70d1898e5ff9\r\DismHost.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-fax-service_31bf3856ad364e35_10.0.19041.1_none_6314a7411fa6f2ec\FXSSVC.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-i..atedusermode-kernel_31bf3856ad364e35_10.0.19041.207_none_c5e1b9def3522696\f\securekernel.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-atbroker_31bf3856ad364e35_10.0.19041.1023_none_4478665ed379a3fc\AtBroker.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dns-client_31bf3856ad364e35_10.0.19041.572_none_bfb752f1e1449c59\r\dnscacheugc.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-coresystem-wpr_31bf3856ad364e35_10.0.19041.207_none_4054ef70f69f6ff9\r\wpr.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..andlinepropertytool_31bf3856ad364e35_10.0.19041.1_none_c12e5c6c2037e719\imjpuexc.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..andlinepropertytool_31bf3856ad364e35_10.0.19041.844_none_e9349b06dfab6fdc\r\imjpuexc.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-csrss_31bf3856ad364e35_10.0.19041.546_none_36dd2ad842e4f8c3\r\csrss.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-u..iedwritefilter-mgmt_31bf3856ad364e35_10.0.19041.1266_none_41843efc8f66bc7c\uwfmgr.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..extservice.appxmain_31bf3856ad364e35_10.0.19041.423_none_2cade1bc915dca0d\Microsoft.AsyncTextService.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.1202_none_23a707c9a0b5a8e1\f\Taskmgr.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-servicing_31bf3856ad364e35_10.0.19041.1237_none_9ad73d125ac89655\r\bfsvc.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cloudnotifications_31bf3856ad364e35_10.0.19041.746_none_7000e6adf00c3d30\f\CloudNotifications.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..tegrity-diagnostics_31bf3856ad364e35_10.0.19041.1_none_224ac1aa56b7c6c2\CIDiag.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.19041.1266_none_07a5d18b92d8b668\f\cmimageworker.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..services-core-files_31bf3856ad364e35_10.0.19041.1_none_45dc4032c659ae7c\dsamain.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-embedded-bootexp_31bf3856ad364e35_10.0.19041.1_none_7f5264fda31782d9\BootExpCfg.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.264_none_87b4b95ab967b582\f\fontdrvhost.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_dfsvc_b03f5f7f11d50a3a_4.0.15805.0_none_c0d2d1227427864f\dfsvc.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..ntscontrol.appxmain_31bf3856ad364e35_10.0.19041.423_none_6c3451a09cba3850\r\AccountsControlHost.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-blb-cli-main_31bf3856ad364e35_10.0.19041.1202_none_c0150a0a443c0ffc\f\wbadmin.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..anagement-dmomacpmo_31bf3856ad364e35_10.0.19041.1_none_856b4f50911c6560\DmOmaCpMo.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-tetheringservice_31bf3856ad364e35_10.0.19041.746_none_6ba9668b45cb4938\f\IcsEntitlementHost.exe	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0020890a6fd2b80f5dbad4c031bf41a7_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads