5b55dc27d3123b57ff7cf00c2ddaffb3f08e17e30c4390438b1399fd862ced69

Analysis

max time kernel
94s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
Size

77KB
MD5

b97e4f60fc8948d3bb0299413aa1a3de
SHA1

1ed394f6ca3f8dbc58ea8ff79e0af167d2ea96d5
SHA256

5b55dc27d3123b57ff7cf00c2ddaffb3f08e17e30c4390438b1399fd862ced69
SHA512

63d86fca2afe1970b0197725b29e6edd7b9b6c101cd929607e158e7350e0b488b1dddadd7b4113357b2a76af2ebab4d9ae609d782e5703f832748dfdbbbbd7f1
SSDEEP

1536:Wjl+2lHKITkBXkHbo/8kbrcJj6XWLaKK0Fs8DVRO+h+:O5HKITkBXkHbo/8kbgj6XWLaKNzDVph+

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4312-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x0009000000023423-5.dat	upx
behavioral2/memory/4312-2985-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4312-2987-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4312-4249-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4312-4250-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4312-4254-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\autoconv.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dism.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate_isv.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TCPSVCS.EXE	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\write.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SearchFilterHost.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ttdinject.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cipher.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Com\comrepl.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GamePanel.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\isoburn.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\poqexec.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\BackgroundTransferHost.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\icsunattend.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Netplwiz.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\unregmp2.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\net.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesProtection.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\credwiz.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\esentutl.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\format.com-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\schtasks.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\notepad.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate_ssp.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\calc.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cleanmgr.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\_isdel.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iscsicli.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\logagent.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sethc.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrm.cmd-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fc.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Fondue.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mtstocom.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OneDriveSetup.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\secinit.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ieUnatt.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msiexec.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Netplwiz.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PING.EXE	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\runonce.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chkntfs.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dccw.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllhst3g.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\netsh.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\WinMgmt.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\attrib.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\help.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\shutdown.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sort.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\systeminfo.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wevtutil.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fsutil.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GameBarPresenceWriter.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LaunchTM.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RdpSaProxy.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\resmon.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sdiagnhost.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SndVol.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cttunesvr.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Uninstall.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jjs.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\keytool.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmid.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\misc.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\wabmig.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoev.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Mail\wabmig.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Build.bat	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jar.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateSetup.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateOnDemand.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\policytool.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpnscfg.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaw.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zG.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmic.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\jjs.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javac.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaws.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpconfig.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\Install\{B03CCC4C-2FBB-4685-83CA-78028CCF38ED}\chrome_installer.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.264_none_583d67d6d00b6b6a\r\WerFaultSecure.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-charmap_31bf3856ad364e35_10.0.19041.1_none_a84acae243b8ad63\charmap.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-corruptedfilerecovery_31bf3856ad364e35_10.0.19041.1_none_3daac563c824d4e0\cofire.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-r..eak-diagnostic-core_31bf3856ad364e35_10.0.19041.1_none_1102b0871cbfcf0b\rdrleakdiag.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\r\AppVShNotify.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_wcf-smsvchost_b03f5f7f11d50a3a_10.0.19041.1_none_b4528a0bdf7b6cee\SMSvcHost.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.264_none_87b4b95ab967b582\r\fontdrvhost.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\f\rdpclip.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.19041.1288_none_1cec63974464878f\SenseNdr.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..appserver-licensing_31bf3856ad364e35_10.0.19041.1_none_5ca728f7dabaeefb\tlsbln.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\f\AppVStreamingUX.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.1266_none_1abb9653828c3f41\f\SecurityHealthService.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\BackgroundTransferHost.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..s-mdac-odbcconf-exe_31bf3856ad364e35_10.0.19041.1_none_c367e800917abc7d\odbcconf.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.1237_none_556ba5d1df8130ac\r\printui.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..l-systemuwplauncher_31bf3856ad364e35_10.0.19041.1_none_bafc9f61651f37d2\SystemUWPLauncher.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\ttdinject.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_10.0.19041.964_none_ae5ec9e59abc05e6\f\SndVol.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\f\wmplayer.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.153_none_47569e595c44e70c\f\FileExplorer.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\systemreset.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.19041.264_none_4a12028313046a9e\r\ntoskrnl.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..up-deviceencryption_31bf3856ad364e35_10.0.19041.1202_none_4f22e21b58d6c2e3\BitLockerDeviceEncryption.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\f\icsunattend.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-onlinesetup-component_31bf3856ad364e35_10.0.19041.746_none_4b0a936d86cdd479\windeploy.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lockapphost_31bf3856ad364e35_10.0.19041.1_none_b19798c3028c2929\LockAppHost.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1_none_c76758d7f0069e2e\newdev.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\SyncHost.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\WSManHTTPConfig.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\AddSuggestedFoldersToLibraryDialog.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\PinningConfirmationDialog.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_10.0.19041.867_none_b4e9fc09cfcbdd7c\f\AxInstUI.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-blb-engine-main_31bf3856ad364e35_10.0.19041.746_none_c1db40c45e8f2d9e\r\wbengine.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\f\ImeBroker.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..-odbc-administrator_31bf3856ad364e35_10.0.19041.1_none_fa40f4e1dd1492a8\odbcad32.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-restartmanager_31bf3856ad364e35_10.0.19041.1_none_3626754ec37c229b\RmClient.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.1_none_f59d207965b1bbc3\InputPersonalization.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_8aab2d3580c614cb\WSManHTTPConfig.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-filehistory-ui_31bf3856ad364e35_10.0.19041.1_none_0423901f2a62a812\FileHistory.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..management-omadmprc_31bf3856ad364e35_10.0.19041.844_none_93c03ca99a47dc8f\f\omadmprc.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_10.0.19041.1266_none_c67a7a982eedc4e8\explorer.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mdmagent_31bf3856ad364e35_10.0.19041.1_none_faedbaa2bd7d01c2\MDMAgent.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_netfx4-csc_exe_b03f5f7f11d50a3a_4.0.15805.0_none_76eb13d6387f99ed\csc.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\f\Utilman.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-autochk_31bf3856ad364e35_10.0.19041.1266_none_56b9c0cf76f27918\autochk.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..lity-eoaexperiences_31bf3856ad364e35_10.0.19041.746_none_c291aefd01a5d6d6\f\EoAExperiences.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ddodiag_31bf3856ad364e35_10.0.19041.1_none_ec479f963c4c3325\ddodiag.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..ysafety-refreshtask_31bf3856ad364e35_10.0.19041.1266_none_d375b5361b806b32\r\WpcTok.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-managementconsole_31bf3856ad364e35_10.0.19041.906_none_65f82ba919c64b11\InetMgr.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.19041.1_none_3d62a57d3b12dcf1\replace.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_38869341091832be\mofcomp.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-tetheringservice_31bf3856ad364e35_10.0.19041.746_none_6ba9668b45cb4938\f\IcsEntitlementHost.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.1266_none_cfec8db821d83671\f\winresume.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_10.0.19041.1_none_aa1fc2e87b362d12\regedt32.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_b3df5aa8d99e9b89\r\TSTheme.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vssservice_31bf3856ad364e35_10.0.19041.746_none_38c6194376a6b88c\r\VSSVC.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_9fd3a313935e2396\r\upnpcont.exe-	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b97e4f60fc8948d3bb0299413aa1a3de_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe-

Filesize
622KB

MD5
e03cd60202bc6aa9d529dce0828320e0

SHA1
ca206e1c9ded76ae29e58a14ead2b366e167685e

SHA256
165ca64740d0c6046c1e00deed08b66887580c010d769b4da5920ede95828691

SHA512
a2090230b3324435efcc844a90ef782d6b4304ba6780c755fba433c71f3e2ac496e800d97c050e2629b28e7dae09b6823a03e6ea2a7f76d8869d2ed45cc510bf

Download Submit
memory/4312-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4312-2985-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4312-2987-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4312-4249-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4312-4250-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4312-4254-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download