8c702b0e07574bbb6954084e5dea183e740b85e4a5ec6b4d722142af90833a71

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 13:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
Size

115KB
MD5

138fabb13c6949d9462601119a47059a
SHA1

76ead93c567fc6c2992e4dcd09a75de89e160e87
SHA256

8c702b0e07574bbb6954084e5dea183e740b85e4a5ec6b4d722142af90833a71
SHA512

4e61b952b076d07bd17b98521a6c82b0cddc4bddc1db0879dea401b44d28f7a30ad177ce3da2a13ddf588315d983711de3b94097388f0f845071c0665c082225
SSDEEP

1536:SUJCXCClfXyE8CdUmUPPaICahCMVUEcf2ph4jSSHl64/bEcf2ph4jSSHl64/:SUQJ5YACaICahCMVtVLJYgVLJY

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ComputerDefaults.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\EhStorAuthn.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PATHPING.EXE$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\com\MigRegDB.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\doskey.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iscsicli.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mfpmp.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winrs.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesRemote.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fsutil.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mode.com	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\autofmt.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cttunesvr.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DisplaySwitch.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dvdupgrd.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\EhStorAuthn.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sfc.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sxstrace.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msdxm.ocx$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fltMC.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fontview.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TapiUnattend.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\relog.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\timeout.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\icacls.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\regedt32.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SearchIndexer.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrs.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setup.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\auditpol.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\certreq.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winver.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMig.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dllhost.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WPDShextAutoplay.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msscript.ocx$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\shutdown.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\esentutl.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\icsunattend.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sysmon.ocx$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\efsui.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tree.com$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\joy.cpl$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\compact.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\extrac32.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesProtection.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RpcPing.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\unlodctr.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wermgr.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\runas.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\resmon.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\autoconv.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\net.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PresentationHost.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\reg.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\systeminfo.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wsmprovhost.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tree.com	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\upnpcont.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\perfhost.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Magnify.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_isv.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-choice_31bf3856ad364e35_6.1.7601.17514_none_218cf07ba262766c\choice.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-iis-managementconsole_31bf3856ad364e35_6.1.7600.16385_none_e3c88f07d4c88269\InetMgr.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7600.16385_none_ce6f64032560fa6b\instnm.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647\appidcertstorecheck.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ddodiag_31bf3856ad364e35_6.1.7600.16385_none_924b83b9b69fb351\ddodiag.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winhlp32.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\b3ade8d5c0d4bb5d4940bcafd3453642\PresentationFontCache.ni.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-displayswitch_31bf3856ad364e35_6.1.7600.16385_none_48b6a2a03e2c7b21\DisplaySwitch.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3d8bb37f97ba22ff_sdbinst.exe_8725e339$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\iissetup.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_6.1.7601.17514_none_21ceb2d66a98ec2f\mofcomp.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_e24a7886a9947ebf\hdwwiz.cpl	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..llercommandlinetool_31bf3856ad364e35_6.1.7600.16385_none_7444913c36004801\sc.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..essagingcoreservice_31bf3856ad364e35_6.1.7601.17514_none_412fcd2afecdc412\mqsvc.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Journal.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.7601.17514_none_b296f701dc00c582\ieUnatt.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24\ndadmin.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\wow\ehexthost32.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..ime-upgrade-results_31bf3856ad364e35_6.1.7601.17514_none_21de7e134213566a\WindowsAnytimeUpgradeResults.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.16428_none_7b0d6f67c2d3f97a\iexplore.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_7cf343cac8a829ec\doskey.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-systray_31bf3856ad364e35_6.1.7600.16385_none_f327d2f6575da8ce\systray.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mobsyncexe_31bf3856ad364e35_6.1.7601.17514_none_4d76defd6af4a83e\mobsync.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-rasclienttools_31bf3856ad364e35_6.1.7600.16385_none_cb3bc16fc2624947\rasdial.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-machine_config_ocm_b03f5f7f11d50a3a_6.1.7601.17514_none_81fa0191bdd08961\machine.config.comments	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_aeb1ef0f4e6bba1d\wscript.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-commandlinehelp_31bf3856ad364e35_6.1.7600.16385_none_d4018bc76a8b37d9\help.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-mcglidhost_31bf3856ad364e35_6.1.7600.16385_none_05a2b72417ec1c6a\mcGlidHost.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..lepc-mobilitycenter_31bf3856ad364e35_6.1.7601.17514_none_b8bffa4921e2a435\mblctr.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.1.7601.17514_none_affb336d34ccf2f8\setup_wm.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_632ae4bc5d173763\logman.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7601.17514_none_a0cf62efee3228a3\wabmig.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-adaptertroubleshooter_31bf3856ad364e35_6.1.7600.16385_none_d1d79dd7e49a786f\AdapterTroubleshooter.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-security-vault_31bf3856ad364e35_6.1.7600.16385_none_4d5e025e54ba15f8\VaultSysUi.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-eudcedit_31bf3856ad364e35_6.1.7601.17514_none_5b9fee911dc04044\eudcedit.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_6.1.7601.17514_none_c82fdb5265bc18af\SndVol.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-m..-odbc-administrator_31bf3856ad364e35_6.1.7600.16385_none_44263d819f0aa19e\odbcad32.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\NETFXRepair.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-terminalservices-theme_31bf3856ad364e35_6.1.7600.16385_none_d5bc65ffdc22ec35\TSTheme.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..g-xpsdocumentwriter_31bf3856ad364e35_6.1.7601.17514_none_80fea45979a5d3f2\MxdwGc.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_6.1.7601.17514_none_1229a6f0546e2346\lpq.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-security-syskey_31bf3856ad364e35_6.1.7600.16385_none_74578a893f33207c\syskey.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_092d6b9141f16aca_winmgmt.exe_8f8eb7b1	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..mpropertiesadvanced_31bf3856ad364e35_6.1.7600.16385_none_f71eddfb459a0155\SystemPropertiesAdvanced.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-installer-executable_31bf3856ad364e35_6.1.7601.17514_none_a7a77a3b9cb96ce6\msiexec.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-f..temcompareutilities_31bf3856ad364e35_6.1.7600.16385_none_009cfaa696afe78b\fc.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_6.1.7600.16385_none_ad5854ca0a23343d\mount.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-security-tools-klist_31bf3856ad364e35_6.1.7600.16385_none_9d299157e03ce00f\klist.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-cttunesvr_31bf3856ad364e35_6.1.7600.16385_none_4befc8eb38093bb1\cttunesvr.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\migwiz.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sstext3d_31bf3856ad364e35_6.1.7601.17514_none_625ebded763bbe23\ssText3d.scr	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_6.1.7601.17514_none_c79aef32ab85d92b\cmmon32.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_6.1.7600.16385_none_934d08d31b96d4ee\msra.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7600.16385_none_0935b76c289e0fd5\PkgMgr.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\SMSvcHost.ni.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-datacontrol_31bf3856ad364e35_8.0.7600.16385_none_8ab661c930dca3c8\tdc.ocx	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_aeb1ef0f4e6bba1d\wshom.ocx$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-makecab_31bf3856ad364e35_6.1.7600.16385_none_f0a5d809ca926e4f\makecab.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sort_31bf3856ad364e35_6.1.7600.16385_none_ab9479767ad67fd7\sort.exe$$$	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2184	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	138fabb13c6949d9462601119a47059a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\138fabb13c6949d9462601119a47059a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\138fabb13c6949d9462601119a47059a_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads