e8807b53cedaced63ab8aa4e1d0e91f0d0629b695259bbfc8d8b22c06fd474f6

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
Size

205KB
MD5

fff82d601bd3732d04302f10b40a9660
SHA1

081a65bf0a8cca3c9b4deb4d0affda13cc7eeb93
SHA256

e8807b53cedaced63ab8aa4e1d0e91f0d0629b695259bbfc8d8b22c06fd474f6
SHA512

7fd1f9517c45e5e8751fa22342c00dfc1d65e5d1b6275a1ff16ad082ff1e635d7397e30c6c3d69ff0bf9bedc6af503171e553cd70a3f72f6ce8a3868acb9817d
SSDEEP

3072:O5sPGQe5sX6dehxxjq0Fp2XAdff3+Jg/P44xpflta2c935a4ZChBA5mn7PrV:PGtsDPOXAdff3CgzuYBAe7x

Score

5^/10

discovery upx

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ipconfig.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mmgaserver.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sfc.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TRACERT.EXE	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hdwwiz.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RdpSa.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\schtasks.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\backgroundTaskHost.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bitsadmin.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cipher.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fixmapi.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lodctr.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Register-CimProvider.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\shrpubw.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tracerpt.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CameraSettingsUIHost.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\grpconv.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\UserAccountBroker.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpresult.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msinfo32.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\shutdown.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\typeperf.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autofmt.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\calc.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\colorcpl.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\diskpart.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\quickassist.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\recover.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wowreg32.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\_isdel.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\reg.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\resmon.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate_ssp.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesProtection.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemUWPLauncher.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\certutil.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ComputerDefaults.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\convert.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ndadmin.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Netplwiz.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\notepad.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\perfhost.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\powercfg.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PATHPING.EXE	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PING.EXE	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\raserver.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svchost.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dxdiag.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\icsunattend.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LaunchWinApp.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mountvol.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msra.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PhotoScreensaver.scr-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rundll32.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\charmap.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ddodiag.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Robocopy.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\stordiag.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\systeminfo.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ThumbnailExtractionHost.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1120-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x0009000000023446-5.dat	upx
behavioral2/memory/1120-3049-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1120-3050-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1120-4244-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1120-4245-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1120-4250-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotd.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\klist.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaw.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jhat.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\setup_wm.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\setup_wm.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\keytool.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\klist.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateOnDemand.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmid.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Mail\wab.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javac.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-cpl_31bf3856ad364e35_10.0.19041.1_none_0d7764d82a75e629\BitLockerWizardElev.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tscon.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.1151_none_ec390bd802a1c630\SearchFilterHost.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1_none_ef1691668a233417\appidtel.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-robocopy_31bf3856ad364e35_10.0.19041.1266_none_4621ad58d5f654dd\Robocopy.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..alenrollmentmanager_31bf3856ad364e35_10.0.19041.264_none_839983ebef167c68\f\CredentialEnrollmentManager.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-chkdsk_31bf3856ad364e35_10.0.19041.1_none_77d767642c0e040b\chkdsk.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-cleanmgr_31bf3856ad364e35_10.0.19041.1266_none_ec5eb439471de957\f\cleanmgr.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..mnotificationbroker_31bf3856ad364e35_10.0.19041.746_none_a5ade2e84580e250\f\DmNotificationBroker.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lockapphost_31bf3856ad364e35_10.0.19041.746_none_d99fd60bc1fde773\LockAppHost.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.264_none_1477a882bdce0df2\f\vmms.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1_none_b42ad8618bda36bd\TpmTool.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1288_none_3f2d1be96237886e\r\wsmprovhost.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ieframe_31bf3856ad364e35_11.0.19041.264_none_863c21753674f968\r\IESettingSync.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_40b989c5d3ea9316\r\sethc.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.1_none_1f721a9c9befed5e\SyncHost.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-autochk_31bf3856ad364e35_10.0.19041.1266_none_56b9c0cf76f27918\f\autochk.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.964_none_9a882af90ea09cc3\f\ssh-add.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-security-tokenbroker_31bf3856ad364e35_10.0.19041.1266_none_22ccf50c942e2ac7\TokenBrokerCookies.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_8aab2d3580c614cb\winrm.cmd-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\write.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-blb-cli-main_31bf3856ad364e35_10.0.19041.264_none_29367e02ede71097\wbadmin.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-defrag-cmdline_31bf3856ad364e35_10.0.19041.84_none_bf1eecf3f472e3ce\Defrag.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\f\MicrosoftEdge.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_f827f008f8832bd5\r\rasautou.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-d..ectxdatabaseupdater_31bf3856ad364e35_10.0.19041.84_none_2d21e26a18d595c7\directxdatabaseupdater.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_10.0.19041.1_none_8b021141ec175d3e\sdbinst.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.1_none_1a55178fad503598\ttdinject.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1288_none_6f1fcb1866fcb4b8\f\ntprint.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\SyncHost.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.1266_none_cfec8db821d83671\f\winload.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.84_none_f9792ddb393f9467\rdpclip.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-autofmt_31bf3856ad364e35_10.0.19041.1266_none_650ebab5a8c02ffc\r\autofmt.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.1266_none_cfec8db821d83671\r\winresume.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_10.0.19041.1266_none_22b99d078bbc3016\r\setup_wm.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.19041.1_none_3d62a57d3b12dcf1\print.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\BioEnrollmentHost.exe	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorQuickStart.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\change.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_10.0.19041.1_none_95647fabfa4ec9fe\MultiDigiMon.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wimgapi_31bf3856ad364e35_10.0.19041.84_none_809ebfa242fbf368\r\wimserv.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-openfiles_31bf3856ad364e35_10.0.19041.1_none_a76c1ed6be227279\openfiles.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-client-li..pgrade-subscription_31bf3856ad364e35_10.0.19041.1_none_07600fc1c7993163\ClipRenew.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-runonce_31bf3856ad364e35_10.0.19041.1202_none_8a7b0186743e499b\f\runonce.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-client-li..m-service-migration_31bf3856ad364e35_10.0.19041.84_none_8ea6a37043f4ae90\r\ClipUp.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winrsplugins_31bf3856ad364e35_10.0.19041.1_none_cc2783ead104d62a\winrshost.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..ment-windows-minwin_31bf3856ad364e35_10.0.19041.1266_none_c4b179e0b12fe4b9\r\winload.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..nfrastructurebghost_31bf3856ad364e35_10.0.19041.546_none_4eec2752c7ea16f8\f\backgroundTaskHost.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-ngc-trustlet_31bf3856ad364e35_10.0.19041.423_none_c3eac275ecdf7e0a\r\NgcIso.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.1_none_18b14c7d1478d4cc\EaseOfAccessDialog.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_netfx4-ngen_exe_b03f5f7f11d50a3a_4.0.15805.0_none_b2fd45ddd475eb50\ngen.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mediafoundation_31bf3856ad364e35_10.0.19041.1266_none_1b79ad13f653c2a7\mfpmp.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\f\ThumbnailExtractionHost.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.19041.1266_none_07a5d18b92d8b668\r\cmimageworker.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-filepicker.appxmain_31bf3856ad364e35_10.0.19041.1023_none_374973298940e35c\FilePicker.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.19041.746_none_ff52abd5cb47bbe1\r\lpksetup.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_72f9f7c7a1b307dd\r\TpmTool.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wusa_31bf3856ad364e35_10.0.19041.1_none_62f19f00b7fa61a7\wusa.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..extservice.appxmain_31bf3856ad364e35_10.0.19041.423_none_2cade1bc915dca0d\r\Microsoft.AsyncTextService.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe-	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fff82d601bd3732d04302f10b40a9660_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe-

Filesize
749KB

MD5
cd858be6706183b1c8f7347be02ba0cc

SHA1
d952b726e80e6165aa27655330c41b3f8d5aab55

SHA256
cedfdf5c37c241c2586ad4e8a01c7692ed7bcd8de9f5402139876bb9d8797543

SHA512
5e633add3114d7a705481f35cf39d4a6c0e9f34e7b1a9583bcc37669baea51232589f11bef5fb9b9066991a460a334c3eac5bf559054948ca0d8408e5ad19c49

Download Submit
memory/1120-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1120-3049-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1120-3050-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1120-4244-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1120-4245-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1120-4250-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download