d95ea8267527e7eef5f5619a586c1e8d73b2f4e467d77596dc626c29cb3f44b9

Analysis

max time kernel
94s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
Size

208KB
MD5

fb3f1fd8261c4654ed6019fbbd841cdf
SHA1

d866bd01bb62f88b0beb40c0a4e2f2ed97c39383
SHA256

d95ea8267527e7eef5f5619a586c1e8d73b2f4e467d77596dc626c29cb3f44b9
SHA512

2674eb57d16c72d66a7cb372b9111692d954a195ea7d53030922f890ead77f3fcf9f41987636dff2c3963492aed7681fc3c4c8eebf7ac8013ef7c054ef3d4792
SSDEEP

3072:O5HKITkBXkH7FomiSlBEtZTRA+UT0xj4Sle/qGTCAyNeX:NITkBXkHNetZG+4

Score

5^/10

discovery upx

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Magnify.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\provlaunch.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ReAgentc.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate_ssp_isv.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemUWPLauncher.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eudcedit.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\netiougc.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\openfiles.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SearchIndexer.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AtBroker.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eventvwr.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\grpconv.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\grpconv.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\isoburn.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasdial.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrm.cmd	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\driverquery.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fltMC.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\print.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RdpSa.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\resmon.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\user.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WSManHTTPConfig.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ARP.EXE-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cttune.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mspaint.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TRACERT.EXE-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\at.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dvdplay.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\edpnotify.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\extrac32.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\find.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PATHPING.EXE	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sort.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\WMIC.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iexpress.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iscsicli.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MuiUnattend.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autoconv.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ftp.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ktmutil.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PING.EXE	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wecutil.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chkntfs.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dtdump.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hh.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LaunchWinApp.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\UserAccountBroker.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eventcreate.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iexpress.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\printui.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasautou.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bitsadmin.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\schtasks.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CameraSettingsUIHost.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\choice.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\expand.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\finger.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sethc.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3056-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x0009000000023427-5.dat	upx
behavioral2/memory/3056-2078-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3056-2079-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3056-4254-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3056-4255-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3056-4259-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\Install\{A1342620-C3E7-48E4-A8CA-2B9DD9AE1E3F}\chrome_installer.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\show_third_party_software_licenses.bat	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7z.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\klist.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\wab.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Build.bat-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7z.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\wabmig.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmprph.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpnscfg.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpshare.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pack200.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateOnDemand.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\klist.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpconfig.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.546_none_476476bb5c3a0bbc\r\FileExplorer.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-magnify_31bf3856ad364e35_10.0.19041.84_none_65d0f4a4c6cd4975\r\Magnify.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.1288_none_a518f9eb1ab503d0\r\hvix64.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_10.0.19041.928_none_6a67731cf3e151f2\f\pcaui.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-unattendedjoin_31bf3856ad364e35_10.0.19041.1_none_6905f2230c3224a7\djoin.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-com-complus-setup_31bf3856ad364e35_10.0.19041.746_none_c7a124154e1d7314\mtstocom.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ie-setup-support_31bf3856ad364e35_11.0.19041.1081_none_7e66aef13d0cb227\ie4ushowIE.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.84_none_d062347205e52d46\f\PerceptionSimulationService.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_10.0.19041.746_none_d22800313aa7eb5c\r\regedit.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_bd2b0ef5b58e1540\r\cscript.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winlogon_31bf3856ad364e35_10.0.19041.1_none_25b40e9a744f0270\winlogon.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.19041.1_none_b817dbd29134ec4d\GameBarPresenceWriter.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..-unifiedwritefilter_31bf3856ad364e35_10.0.19041.1266_none_110072d23cfc00d3\uwfservicingscr.scr-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-processmodel-cpt_31bf3856ad364e35_10.0.19041.1_none_60c397ff12ee4db1\w3wp.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\r\sysprep.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1060d2d22df7c6eb\r\WWAHost.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.1202_none_2dfbb21bd5166adc\r\LaunchTM.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1_none_8f3a372b5909de8a\wiaacmgr.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..ortingcompatibility_31bf3856ad364e35_10.0.19041.264_none_dc8146375466099a\DWWIN.EXE-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..nfrastructurebghost_31bf3856ad364e35_10.0.19041.546_none_4eec2752c7ea16f8\backgroundTaskHost.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..alenrollmentmanager_31bf3856ad364e35_10.0.19041.1202_none_1a780ff3456b7bcd\r\CredentialEnrollmentManager.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..riencehost.appxmain_31bf3856ad364e35_10.0.19041.610_none_d94fa044111e8308\r\StartMenuExperienceHost.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winlogon_31bf3856ad364e35_10.0.19041.1266_none_e488d49c8a22d21e\r\winlogon.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-secinit_31bf3856ad364e35_10.0.19041.1_none_3da8fdfb6c5bbf8a\secinit.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sstext3d_31bf3856ad364e35_10.0.19041.1_none_ba29c601fef9ba5d\ssText3d.scr-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_10.0.19041.1266_none_2d0e4759c01cf211\f\setup_wm.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_windowssearchengine_31bf3856ad364e35_7.0.19041.264_none_9627a04e40f9f001\f\SearchIndexer.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-i..atedusermode-kernel_31bf3856ad364e35_10.0.19041.207_none_c5e1b9def3522696\f\securekernel.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..ifiedwritefilter-ux_31bf3856ad364e35_10.0.19041.746_none_c7c6fccae233c8b7\r\uwfux.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-runonce_31bf3856ad364e35_10.0.19041.1_none_cbabe2205e65787b\runonce.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.264_none_2649f3f85f3b49b1\cscript.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.1_none_3451e3c68828f3da\smss.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\BioEnrollmentHost.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\f\smartscreen.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.84_none_9b0dd648f2c31f16\r\dfrgui.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\f\wmplayer.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\LaunchWinApp.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-photoscreensaver_31bf3856ad364e35_10.0.19041.746_none_eda92e20fee7d318\r\PhotoScreensaver.scr-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.264_none_0e32f443c4669fed\hvax64.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bth-user_31bf3856ad364e35_10.0.19041.1_none_1b0a4d6f748b99f5\fsquirt.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ieframe_31bf3856ad364e35_11.0.19041.264_none_863c21753674f968\f\IESettingSync.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.19041.746_none_ff52abd5cb47bbe1\f\lpksetup.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-robocopy_31bf3856ad364e35_10.0.19041.1266_none_3bcd0306a19592e2\f\Robocopy.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.1288_none_6c70124c60e2b4ef\vmcompute.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_windows-gaming-xbox..e-service-component_31bf3856ad364e35_10.0.19041.264_none_31474dbf12ce5adc\XblGameSaveTask.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..d-searchintegration_31bf3856ad364e35_10.0.19041.746_none_6e05a6bb2291b4c6\r\IMESEARCH.EXE-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..ommandline-repadmin_31bf3856ad364e35_10.0.19041.1_none_5a9698f03a1b8696\repadmin.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.1_none_18b14c7d1478d4cc\EaseOfAccessDialog.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_10.0.19041.906_none_23e2379a6f03d0cb\gpresult.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\wmpconfig.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.84_none_b5c0f628d1d661eb\r\Narrator.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\SpeechModelDownload.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\r\iisrstas.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.19041.1_none_6a9f2a3a3265ab31\rpcinfo.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoftwindowssystemrestore-tasks_31bf3856ad364e35_10.0.19041.84_none_2c3254d57443e050\f\SrTasks.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-whoami_31bf3856ad364e35_10.0.19041.1_none_8ec2362c55947137\whoami.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1_none_6331d348ae4a8fa9\TiWorker.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..tx-dxgiadaptercache_31bf3856ad364e35_10.0.19041.84_none_9f3e49455f52d8f7\f\dxgiadaptercache.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wsl_31bf3856ad364e35_10.0.19041.117_none_610933d42d963a44\r\wsl.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shutdown-event-tracker_31bf3856ad364e35_10.0.19041.1_none_b8c5253467557e69\shutdown.exe-	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb3f1fd8261c4654ed6019fbbd841cdf_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe-

Filesize
753KB

MD5
2ce2a454dcd6085aabd3f9e1ef7dc511

SHA1
c6cdc9fed615b3932dedbb0b0c64be7b5e08bd35

SHA256
6cf31294bbacb248f585f851f8f25ed631a225ee823de75ba2f42d70ba0d981c

SHA512
995ffbe4ccb0fabaa3533a20f35a83194cfd097caa8b4d4a91c44e4af9566859977a80f1d2f2db8a80518f9bc677d418cd117a73b5065e06ae9f23d7c0eac1d5

Download Submit
memory/3056-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3056-2078-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3056-2079-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3056-4254-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3056-4255-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3056-4259-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download