7350cf1ef2ae4a2dfb7e03a9228924ec6a114b5196172f0caec3be6b4e86c0be

Analysis

max time kernel
95s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
Size

225KB
MD5

9508f644ca6931f2163572761cb331ee
SHA1

42c01a00544781f49cd1f89a37f3bff9c9d02cbb
SHA256

7350cf1ef2ae4a2dfb7e03a9228924ec6a114b5196172f0caec3be6b4e86c0be
SHA512

f2cbfd4be0a7bd289588c26ff494ae24c0eee47f34c047ce1bac5ea945e912fa5d5e64cf47bff0d8c2e353cbaa934905b971265f5e599fa675fb4e6e3d85fc31
SSDEEP

3072:O5sPGQe5sX6dehxxjq0Fp2XAdff3+Jg/P44xpflta2c935a4ZxPM/WJOi8s:PGtsDPOXAdff3CgzuZQYOiD

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3328-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x0009000000023472-5.dat	upx
behavioral2/memory/3328-3499-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3328-4243-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3328-4244-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3328-4249-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\format.com	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fsutil.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rundll32.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WerFault.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cleanmgr.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LaunchTM.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\net.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\perfmon.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\runas.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\forfiles.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mode.com	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\reg.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\secinit.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesPerformance.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tasklist.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\convert.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\SHARED\IMESEARCH.EXE-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mcbuilder.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OneDriveSetup.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pcaui.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\timeout.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TsWpfWrp.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CredentialUIBroker.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmd.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasphone.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rekeywiz.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SearchFilterHost.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesHardware.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winver.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ARP.EXE	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dfrgui.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wscript.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WWAHost.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ddodiag.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\explorer.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PickerHost.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasautou.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Taskmgr.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dism\DismHost.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\efsui.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mstsc.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rdrleakdiag.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Register-CimProvider.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TRACERT.EXE	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cttunesvr.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lodctr.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OpenWith.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PhotoScreensaver.scr-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ddodiag.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PresentationHost.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tree.com-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WPDShextAutoplay.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\net1.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate_isv.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SearchIndexer.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ttdinject.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GameBarPresenceWriter.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\help.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\logman.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ttdinject.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eventcreate.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\setx.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmid.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\klist.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Build.bat	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmplayer.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateCore.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Build.bat-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\wabmig.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateOnDemand.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateBroker.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zG.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaw.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.1266_none_ab5bdb26141e0be5\r\vmms.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.1202_none_23a707c9a0b5a8e1\Taskmgr.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1237_none_7578510aa0f564fa\vfpctrl.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.19041.1288_none_e0f8082a6952ce81\f\ntoskrnl.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_aspnet_regbrowsers_b03f5f7f11d50a3a_4.0.15805.0_none_8e3bba60c5867c39\aspnet_regbrowsers.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..-commandline-dsmgmt_31bf3856ad364e35_10.0.19041.1_none_a4a8dfd6e5f1aab8\dsmgmt.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_10.0.19041.1_none_a3224c6911783037\IMJPDCT.EXE-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_87b019d7cebd66d4\r\iissetup.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_10.0.19041.1266_none_2d0e4759c01cf211\setup_wm.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-icm-dccw_31bf3856ad364e35_10.0.19041.1_none_db3463b66241962d\dccw.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\r\TSTheme.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mdmappinstaller_31bf3856ad364e35_10.0.19041.844_none_77a5d9aafae08e77\f\MDMAppInstaller.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.264_none_583d67d6d00b6b6a\r\WerFault.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-eventcollector_31bf3856ad364e35_10.0.19041.1_none_bb535abd48713dff\wecutil.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.173_none_38fc88f8cb913df1\winresume.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bootux.deployment_31bf3856ad364e35_10.0.19041.1_none_f4025a506f9e9f01\bootim.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..ifiedwritefilter-ux_31bf3856ad364e35_10.0.19041.1_none_9fbebf8222c20a6d\uwfux.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mapi-mmga_31bf3856ad364e35_10.0.19041.746_none_b4441130315b5f1f\f\mmgaserver.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\spoolsv.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-service_31bf3856ad364e35_10.0.19041.1202_none_d965e0f65a4ddcdf\r\BdeUISrv.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.746_none_48b2bd808a742e25\r\netbtugc.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\r\mip.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.19041.1202_none_76e6fb38a70dbd6d\GameBarPresenceWriter.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-castserver_31bf3856ad364e35_10.0.19041.1_none_7d903181d06247f1\CastSrv.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\aspnetca.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\f\upnpcont.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..temcompareutilities_31bf3856ad364e35_10.0.19041.1_none_b6b7b206d4b9d895\fc.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\Boot\DVD\PCAT\etfsboot.com-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ed-chinese-moimeexe_31bf3856ad364e35_10.0.19041.1_none_9afd0cb7be0e8af9\ChsIME.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-magnify_31bf3856ad364e35_10.0.19041.84_none_65d0f4a4c6cd4975\Magnify.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..estartup-change-pin_31bf3856ad364e35_10.0.19041.1_none_a78dc4e9f3c6c606\bdechangepin.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.1_none_20aa8037cb026fdb\netbtugc.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_30274b64fe158ec9\f\sxstrace.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_wp_exe_b03f5f7f11d50a3a_10.0.19041.1_none_85d1745a1d49397f\aspnet_wp.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.84_none_a689f818199cbaf8\f\Taskmgr.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\f\msconfig.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_netfx4-aspnet_state_exe_b03f5f7f11d50a3a_4.0.15805.0_none_5ffcb7ce21b4d707\aspnet_state.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_security-octagon-broker_31bf3856ad364e35_10.0.19041.546_none_380485edeba9f4c4\f\SgrmBroker.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-u..iedwritefilter-mgmt_31bf3856ad364e35_10.0.19041.1266_none_41843efc8f66bc7c\uwfmgr.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..snotificationbroker_31bf3856ad364e35_10.0.19041.153_none_42505a6de732f7ca\MusNotification.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.1288_none_f92f7256107c0e35\nvspinfo.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bcdboot-cmdlinetool_31bf3856ad364e35_10.0.19041.1237_none_d618a074f3588a53\bcdboot.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..al-chinese-moimeexe_31bf3856ad364e35_10.0.19041.1_none_e73c658ee671e530\ChtIME.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\r\prevhost.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmpdmc-ux_31bf3856ad364e35_10.0.19041.746_none_cc5cbb9556301da3\f\WMPDMC.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-clip_31bf3856ad364e35_10.0.19041.1_none_682199f2efbfb806\clip.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..omerfeedbackmanager_31bf3856ad364e35_10.0.19041.844_none_c47fb20821633815\imecfmui.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..al-chinese-moimeexe_31bf3856ad364e35_10.0.19041.746_none_0f44a2d7a5e3a37a\f\ChtIME.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.19041.1_none_f35caf2131abed9a\lsass.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\logoff.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.1_none_913591207b2aaf6f\WinRTNetMUAHostServer.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-lsatrustlet_31bf3856ad364e35_10.0.19041.1288_none_5961108733e967c9\r\LsaIso.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\ResetEngine.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_netfx4-mscorsvw_exe_b03f5f7f11d50a3a_4.0.15805.0_none_c4e6302d398f7e04\mscorsvw.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-coresystem-wpr_31bf3856ad364e35_10.0.19041.746_none_4028b8f4f6c0b829\r\wpr.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..ebviewhost.appxmain_31bf3856ad364e35_10.0.19041.264_none_e85c49c0793f9f24\Win32WebViewHost.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.746_none_4ae21b160a9d5bb2\r\CameraSettingsUIHost.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_multipoint-wmssvc_31bf3856ad364e35_10.0.19041.746_none_9ebd3ef9f0c794b5\r\WmsSvc.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_installutil_b03f5f7f11d50a3a_4.0.15805.0_none_d67d06ef0c4a2e1c\InstallUtil.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..scannerpreview-host_31bf3856ad364e35_10.0.19041.546_none_70569b662ddb706c\CameraBarcodeScannerPreview.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_edmgen_b77a5c561934e089_10.0.19041.1_none_25aa820b9acb3357\EdmGen.exe-	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9508f644ca6931f2163572761cb331ee_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe-

Filesize
770KB

MD5
1198d4a7009a406724dedbd691838b6a

SHA1
2ade0f88689ec3222d65f8613bb42c38d07f3479

SHA256
d206699ff218f73a4f500626fab2ca19f99b09347820968891015cd8c2811095

SHA512
0ea36c0390153df7d40ddd75d1d49aba00e1c8113d7175d20aa7d58a7330a0154fbe6b38984d6c3f820cc22bab624df055d0f0c035ada86b6de0cda4aaced41d

Download Submit
memory/3328-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3328-3499-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3328-4243-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3328-4244-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3328-4249-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download