939599e255f0c6092afd1b747b0b8d4734ab1218be51708c395151f69da19e39

General

Target

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Size

141KB
MD5

f6ba36edaf3b699b3656fb94131d06da
SHA1

9dc88694e0f4be51cc4c6b435349f3939e6b0a47
SHA256

939599e255f0c6092afd1b747b0b8d4734ab1218be51708c395151f69da19e39
SHA512

c70e3cba46c8d75db05db5d4b8461ce7d3d1087d56ac635f856a9b26f85152ba465653944acb7bfe87edb5b978fc45d9c462c2f61461e4efe36e9f607fb0b6b6
SSDEEP

3072:K5yJGaBDcKFP/QCtxydMKNWUWFisaGJC:K59aBwC/QrAfaGw

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

description ioc process

File created C:\Windows\SysWOW64\ntdll.dll.dll f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

Drops file in Program Files directory 16 IoCs

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcrprcr.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAdobe.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\NPPDF32Acrobat.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AdobeAcrobat19.10.20064.310990.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\MicrosoftStudio.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\MicrosoftStudio.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setupexeEdge.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFrameworkIdentityModel.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ietoedgestubexeietoedgebhodll92.0.902.67.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\ado\ja-JP\Windowsmsader15.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\VisualStudioApplications.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\WindowsMicrosoft10.0.19041.746.160101.0800.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msaddsrmsdaprsr10.0.19041.1.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\HMMAPIInternet.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\Microsoftvstoee.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAcrobat.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-eapteap_31bf3856ad364e35_10.0.19041.1_none_e1f932842d5ae558\OperatingSystem.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\291910c52afc6a4c83bd042f709c7e57\SystemWindows6.1.7600.16385.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..oledb-rll.resources_31bf3856ad364e35_10.0.19041.1_es-es_3789e1b2cd9c87ee\oledb32rOperating.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_smsvchost_b03f5f7f11d50a3a_4.0.15805.0_none_6d5f51303f9aca21\SMSvcHostSMSvcHost.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-antimalware-scan-interface_31bf3856ad364e35_10.0.19041.746_none_3f024f186a43ff17\amsiMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_multipoint-wmssharinghost_31bf3856ad364e35_10.0.19041.746_none_e07862e65010e3f9\MicrosoftSystem.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_cs-cz_1dee5804823a393a\MicrosoftCOMCTL32.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_sr-..-rs_b2c524b47939e030\messagesWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..pplatform.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4ba4b7355d7d35fe\MicrosoftOperating.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-r..ry-editor.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_53451d629515cf2a\SystmeWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ment-dmiso8601utils_31bf3856ad364e35_10.0.19041.1_none_2d0e21ae214fbb3a\dmiso8601utilsOperating10.0.19041.1.160101.0800.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\1031\vbc7uiFramework.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_aaf2ce25d18f26f4\WINLOGONwinlogon.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..taservice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_7e113f8846774556\SystemWindows10.0.19041.1.160101.0800.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mfh263enc_31bf3856ad364e35_10.0.19041.1_none_4052cff3d3a53273\OperatingMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_f4a55c2c3386ed90\WindowsSystem.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-upnpcontrolpoint_31bf3856ad364e35_10.0.19041.1_none_e8c07bc7d01eb88d\OperatingWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_caspol.resources_b03f5f7f11d50a3a_10.0.19041.1_it-it_244c4365ef34e170\CasPolresources.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-logagent_31bf3856ad364e35_10.0.19041.1_none_a13199bb61665e9a\OperatingSystem12.0.19041.1.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\ImmersiveControlPanel\de-DE\MicrosoftWindows10.0.19041.1.160101.0800.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols.Resources\2.0.0.0_de_b03f5f7f11d50a3a\ProtocolsMicrosoft2.0.50727.9149.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..omponents.resources_31bf3856ad364e35_10.0.19041.1_es-es_eb1e62ca961fc1e3\Windowsoperativo.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nce-tools.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_f9f7316b374b37de\MicrosoftWindows10.0.19041.1.160101.0800.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e7d4e0d093700dad\MicrosoftOperating.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-themecpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_4f0b86052173ffc1\THEMECPLWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_windows-application..cts-winrt.resources_31bf3856ad364e35_10.0.19041.1_de-de_ca24d45b439ee7eb\WindowsBetriebssystem.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..i-prnfldr.resources_31bf3856ad364e35_10.0.19041.1_it-it_6eedd8928e21f7dc\operativoMicrosoft10.0.19041.1.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devicepairingfolder_31bf3856ad364e35_10.0.19041.746_none_2a2b860186768dd3\DevicePairingFolderMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-photoviewer.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_09adaaeb3823e98c\WindowsMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_system.windows.forms.resources_b77a5c561934e089_4.0.15805.0_ja-jp_2121c87b73d656f1\SystemWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft.windows.dsc.dsctimer.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_83b05612bbbb236c\dexploitationWindows10.0.19041.1.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_netfx4-naturallanguage6_b03f5f7f11d50a3a_4.0.15805.0_none_51f1db32f8e495cc\VsVersionVsVersion.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\Aero2Input4.8.4180.0481.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\Boot\EFI\ru-RU\WindowsMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wpfcorecomp.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_96d54dcaecf3b9ff\resourcesresources3.0.6920.0.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dui70.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_ba3b9e31f5de5c7a\Systmedexploitation.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft.security...cyengineapi.interop_31bf3856ad364e35_10.0.19041.1_none_dd8f3a4eb4c8efbd\PolicyManagementPolicyEngineApi.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mfh264enc_31bf3856ad364e35_10.0.19041.964_none_684359d4932909e0\FoundationMedia.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_system.data.entity_b77a5c561934e089_4.0.15805.0_none_0ecb6a68a1dde8b1\systementity.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscormmcMicrosoft2.0.50727.9149.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MUI\0411\Frameworkmscorsecr.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-n..ontroller.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_ca9a1dba364ebe6e\Windowsdexploitation.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..2provider.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_7ab856f8db00ab72\WindowsOperating10.0.19041.1.160101.0800.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-wizard.resources_31bf3856ad364e35_10.0.19041.1_es-es_ef9168dbc4ad0ac5\photowizoperativo.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..-odbc-installer-dll_31bf3856ad364e35_10.0.19041.1_none_431c11f7f4924730\odbccp32Windows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ents-mdac-ado15-rll_31bf3856ad364e35_10.0.19041.1_none_c857548e0c0676b3\msader15Operating.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\resourcesFramework.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..appushsvc.resources_31bf3856ad364e35_10.0.19041.1_en-us_b22a111b90573051\dmwappushsvcOperating.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_msbuild.resources_b03f5f7f11d50a3a_3.5.19041.1_fr-fr_666d8bf22ce884b4\FrameworkMSBuild3.5.30729.91356.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-o..framework.resources_31bf3856ad364e35_10.0.19041.1_it-it_da7e5dac351901cc\WindowsSistema10.0.19041.1.160101.0800.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.19041.1_it-it_a957ea8f6dfc58ba\Sistemaoperativo10.0.19041.1.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-xbox-game..scription-component_31bf3856ad364e35_10.0.19041.746_none_96020d9c6674d6a1\GameChatTranscriptionWindows10.0.19041.746.160101.0800.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_dual_wvmgid.inf_31bf3856ad364e35_10.0.19041.1_none_54ce3cc20c431991\Windowsvmgid.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..-host-api.resources_31bf3856ad364e35_10.0.19041.1_en-us_7c0f1f70f8346934\WwaApiApplication.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.546_none_a93e4a2569276206\SharedUtilitiesWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..indowsuiinputinking_31bf3856ad364e35_10.0.19041.1_none_a55f9d2282840a4d\InkingMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.KeyDistributionService.Cmdlets.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\Microsoftresources.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-l2na_31bf3856ad364e35_10.0.19041.1_none_6b099896edcb411f\Microsoftl2nacp.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..xecutable.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_d89b1dc9cd7498b0\msiexecmsiexec.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDHost.Resources\v4.0_1.0.0.0_fr_31bf3856ad364e35\dexploitationMicrosoftR.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_10.0.19041.1_de-de_1e6d8bf71c919104\dot3svcWindows10.0.19041.1.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_system.windows.presentation.resources_b77a5c561934e089_10.0.19041.1_de-de_7ba454e17b7c4377\MicrosoftWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..onmanager.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_cc0b105c7b24e431\SystemMicrosoft.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_dual_ufxsynopsys.inf_31bf3856ad364e35_10.0.19041.662_none_eb48813183604651\ufxsynopsysufxsynopsys.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

pid	process
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1304	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFrameworkIdentityModel.exe

Filesize
141KB

MD5
f6ba36edaf3b699b3656fb94131d06da

SHA1
9dc88694e0f4be51cc4c6b435349f3939e6b0a47

SHA256
939599e255f0c6092afd1b747b0b8d4734ab1218be51708c395151f69da19e39

SHA512
c70e3cba46c8d75db05db5d4b8461ce7d3d1087d56ac635f856a9b26f85152ba465653944acb7bfe87edb5b978fc45d9c462c2f61461e4efe36e9f607fb0b6b6

Download Submit
memory/1304-3-0x0000000000443000-0x0000000000445000-memory.dmp

Filesize
8KB

Download
memory/1304-4-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1304-59-0x0000000000443000-0x0000000000445000-memory.dmp

Filesize
8KB

Download
memory/1304-73-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads