Analysis
-
max time kernel
32s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-10-2024 08:40
Behavioral task
behavioral1
Sample
6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
12 signatures
150 seconds
General
-
Target
6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe
-
Size
87KB
-
MD5
6152d82cdc94bf202d8284bb0fd1e803
-
SHA1
c5626eddbebc428f13bfa7f07eea88bd7ff13ce6
-
SHA256
0d7e8459bd8ebab98011beafc0c00b7e3567568c59b201671b13d0169f4dc9e6
-
SHA512
8615ed5283d825f107db236ecf25f4f42fd9f8c7b0cccf865acc9d299c7bba4b1d8951da6b6ee5351c767af0870a6458c78092e1ec562b69d77e0954f6bd4e5a
-
SSDEEP
1536:LiiZpLhQ6wWd0gHLn5SlDuwlJmOBRjM0BXh3ZEv9FyFKeSl8k0nCdMuC:OgpLhQ6NdVHLn5IDuIB/A0BXhps9A7+S
Malware Config
Signatures
-
LockFile
LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
-
Renames multiple (1105) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\en-US\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\drivers\es-ES\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\drivers\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\drivers\it-IT\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\drivers\ja-JP\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\drivers\de-DE\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\angel64.inf_amd64_neutral_6bed16c93db1ccf3\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\hpoa1ss.inf_amd64_neutral_8cae09a2238d64e0\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\InstallShield\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\transfercable.inf_amd64_neutral_82f4c743c8996d67\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\wdmaudio.inf_amd64_neutral_423894ded0ba8fdf\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\UltimateN\license.rtf 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer-DRM-DL\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPF0450T.XML 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\Amd64\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\iirsp2.inf_amd64_neutral_9ed65fe0bab06b1b\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\wiacn001.inf_amd64_neutral_b7a0b2f53d745b5a\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\_Default\Starter\license.rtf 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasicE\license.rtf 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpmcpdp6.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\Amd64\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\040c\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomeBasicE\license.rtf 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\hidbth.inf_amd64_neutral_8a1323fc68ad84af\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx009.inf_amd64_neutral_d4b76afd08f308fb\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\_Default\UltimateE\license.rtf 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremiumE\license.rtf 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\it-IT\Licenses\eval\EnterpriseE\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc12.inf_amd64_neutral_ff7295ba5a46d63f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc3100t.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmati.inf_amd64_neutral_ded8f26cdee953c3\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomePremiumN\license.rtf 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-NetworkLoadBalancing-Core\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\Microsoft.PowerShell.Commands.Utility.dll-Help.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\XPSViewer\ja-JP\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_neutral_86bb50f34c49ae71\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\en-US\Licenses\_Default\HomeBasicN\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\eval\Enterprise\license.rtf 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\_Default\Enterprise\license.rtf 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomeBasicE\license.rtf 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-iis-rm\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd7300t.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj4500t.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\koc451X.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\wiabr002.inf_amd64_neutral_b4ea26a49ad66560\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\Microsoft.PowerShell.Commands.Utility.dll-Help.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\eval\Starter\license.rtf 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcxpv6.inf_amd64_neutral_f62ac4bd04e653d0\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\sisraid2.inf_amd64_neutral_845e008c32615283\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\prnbr006.inf_amd64_neutral_f156853def526447\Amd64\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00z.inf_amd64_neutral_aea50acf04a2db1d\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3\amd64\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremiumN\license.rtf 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\hidserv.inf_amd64_neutral_f2223e39f37c69f3\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_neutral_f77725472d91b1d1\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseN\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateE\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\ProfessionalE\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalN\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremiumN\license.rtf 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_neutral_77b02fd738dca150\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\Amd64\KYW7QUR7.XML 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\ts_wpdmtp.inf_amd64_neutral_daa64ca27846aa23\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremiumN\license.rtf 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasic\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\SysWOW64\wbem\ja-JP\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbgjmodgjlobgilo.bmp" 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/1756-3-0x0000000000400000-0x00000000005CE000-memory.dmp upx behavioral1/memory/1756-6736-0x0000000000400000-0x00000000005CE000-memory.dmp upx behavioral1/memory/1756-6737-0x0000000000400000-0x00000000005CE000-memory.dmp upx behavioral1/memory/1756-6981-0x0000000000400000-0x00000000005CE000-memory.dmp upx behavioral1/memory/1756-6982-0x0000000000400000-0x00000000005CE000-memory.dmp upx behavioral1/memory/1756-6985-0x0000000000400000-0x00000000005CE000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files\VideoLAN\VLC\plugins\mux\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\gadget.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORY.XML 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImages.jpg 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN086.XML 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\microsoft shared\PROOF\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\gadget.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Text.zip 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files\Common Files\Services\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files\Microsoft Games\Mahjong\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\connectionmanager_dmr.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files\Java\jre7\lib\ext\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files\Mozilla Firefox\fonts\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\gadget.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OLKIRM.XML 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files (x86)\Windows Media Player\es-ES\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\System\ado\en-US\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\3082\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\gadget.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files\Windows Photo Viewer\fr-FR\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files\Microsoft Games\Minesweeper\ja-JP\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files\Windows Journal\en-US\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SWBELL.NET.XML 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\winsxs\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_et-ee_adbf16f58437d193\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-n..-security.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4cad8e6b513d95fa\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ncryptui-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3e8b0c9bc309e487\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-webservices_31bf3856ad364e35_6.1.7601.17514_none_6ca25da84551ca13\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_05906ea4445b6301\Report.System.Wired.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..mentation.resources_31bf3856ad364e35_8.0.7600.16385_de-de_e60f0deafb7e25b4\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-w..deviceapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4cef8d9e84737dba\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.1.7601.17514_none_4d0830314a4c0938\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\ehome\wow\fr-FR\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\inf\.NET Memory Cache 4.0\0009\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\it\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_msclmd.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6f2b379dc13dd175\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\wow64_microsoft-windows-ie-htmlrenderingmedia_31bf3856ad364e35_11.2.9600.16428_none_ab2c6886a2bafa09\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..onservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3f9cca317352ad86\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_net1yx64.inf_31bf3856ad364e35_6.1.7600.16385_none_4784ec4e3e29c3ed\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\assembly\GAC_MSIL\System.XML.resources\2.0.0.0_es_b77a5c561934e089\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-u..-core-tsp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_56ff9dfbedc885fd\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_de-de_44c5489bf5781bbc\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.4148_none_4bf5400abf9d60b7\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-w..omponents.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8c47788d6910d36f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\Resources\Themes\Aero\fr-FR\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-atbroker_31bf3856ad364e35_6.1.7600.16385_none_2b95a17838063e9b\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..iprovider.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bf2b560981ea8dcc\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_73e472e09a1a05d1\avtransport.xml 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-j..buggeride.resources_31bf3856ad364e35_8.0.7600.16385_it-it_bb29709b3e31fab9\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\assembly\GAC_MSIL\PresentationFramework.Luna\3.0.0.0__31bf3856ad364e35\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_mdmhayes.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_02cc3d244af09710\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-peerdist_31bf3856ad364e35_6.1.7600.16385_none_7919860403cdb261\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w..omponents.resources_31bf3856ad364e35_6.1.7600.16385_es-es_912246ee1073420f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_nl-nl_5e53e6dbfe67ef44\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7600.16385_it-it_495af0a09f8acfe2\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-u..ackup-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5935ad4b07ab1ed1\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-n..untimeapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bee51d48beb067e4\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-ntfstransactionapi_31bf3856ad364e35_6.1.7600.16385_none_d8af3e33228e3b36\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-o..tend-apis.resources_31bf3856ad364e35_6.1.7601.17514_it-it_2e965daf859cb684\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\assembly\GAC_MSIL\system.servicemodel.install.resources\3.0.0.0_de_b77a5c561934e089\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Web.DynamicD#\bef47cfaf8928e35b99d8deb0eeb6b08\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..ectionsharingconfig_31bf3856ad364e35_6.1.7600.16385_none_0c2b375bae4a8d38\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..pwindowmanager-udwm_31bf3856ad364e35_6.1.7600.16385_none_e4880f65da28f3d0\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_6.1.7600.16385_none_f5b8f3d6a353fa89\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_prnrc004.inf_31bf3856ad364e35_6.1.7600.16385_none_21e7809d8e910def\Amd64\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\wow64_microsoft-windows-i..ntconsole.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_248794f830fc064b\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1ba5473c786c35fa\license.rtf 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\assembly\GAC_MSIL\System.Core.resources\3.5.0.0_ja_b77a5c561934e089\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\0e5bae8f265fbbbf53e8ca79d159cd6d\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..fontcache.resources_31bf3856ad364e35_7.1.7601.16492_nb-no_dae871a6bae004d3\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..ls-nltest.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c520779c48d0ce72\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-msinfo32-exe.resources_31bf3856ad364e35_6.1.7600.16385_en-us_569111fc82cff9a6\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-recover_31bf3856ad364e35_6.1.7600.16385_none_85e9a3f215ee94e3\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-offlinefiles-shellui_31bf3856ad364e35_6.1.7601.17514_none_0aad8d7ec58cd322\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_prnkm002.inf_31bf3856ad364e35_6.1.7600.16385_none_4fed5d97295b3e32\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-at.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b6f764f67440bab8\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-printing-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7d56d2d00c3f7e96\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-safedocs-main_31bf3856ad364e35_6.1.7601.17514_none_832fc1bb7d681e0d\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_wwf-cwetargets_i_31bf3856ad364e35_6.1.7600.16385_none_fc50b8a9f289a3e8\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\e588691224a17737f3a164cc2d46c156\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_mdmbr005.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_337fbe3476a18296\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-cryptext-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cb32cf05d00eca11\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-net-command-line-tool_31bf3856ad364e35_6.1.7600.16385_none_ae2743278c281682\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-usbceip.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_26ac3898f14cc451\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_uk-ua_b022280ea23d738e\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\assembly\GAC_MSIL\UIAutomationProvider\3.0.0.0__31bf3856ad364e35\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\Media\Garden\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_display.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e3be0ec499932b7\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.LOCKFILE 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.LOCKFILE\ = "BPFYNFHUWPHNSDE" 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\ = "CRYPTED!" 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\u08hwRO9h74aYk9.exe,0" 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\shell\open\command 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\shell 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\u08hwRO9h74aYk9.exe" 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\DefaultIcon 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\shell\open 6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6152d82cdc94bf202d8284bb0fd1e803_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
630B
MD597d61dd38158163712ff1f93b02185dc
SHA1aeeff9e4e9c82b7093cb222e038c1a6fcfcf06a3
SHA25687c7671f844922e5d75372ff60271462c1f19105dce05c36a49bcbb6f93284d9
SHA51223b9a3da5c54e3528e79ef2529619e9a3828eb049baa59a0f67c6102179f134fcde03f30d8d36b2078e89fd6a28fc107a9c03814cd0ceb32e70495f36eb1655d
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML
Filesize582KB
MD5f56491195b3a954dcc5dd5e00048a91a
SHA192a237b2aa3feb6fe1c3afea150e0f54e042c915
SHA25634cc72cbaaa63eba1d87684f673baae5229a28ce7b7a15b5d11405f75e0a1c8f
SHA5127fcf6a34d1dbb65be377762fdd81244bd024443200625bcb8a67fcfef2cf59a13423071ac5a6d96896cd176d6b349bb8c368e5c323079a266281e3bf536df6e6
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg
Filesize2KB
MD5ff592bc169552829773d00d09875ea30
SHA1647881352b484e6d263d65b7f13b0a610ea7ea3b
SHA25651e0ea20015ff9a344b8cd07c79a6d2ffbf8f6bc6a6dd0a91952b2528abdd2d7
SHA51202aa598647a87f3ab8e95dba9c29f7f1fa8d4c9bf168b8004671e78afebdfcdb828acaaf599201597fe94bad83a66bc8b94b27a62b1daa3c3bcbcc75a8e8076b
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg
Filesize6KB
MD5b4bd9236ebd2106184de8d1d866df857
SHA1e652e837c39ac98d2e3162e11d4c93bd6e7c7761
SHA2564c046a1e5d6c76fdfa7592bfc104a8667d72ef62d962742845043da7c7290e91
SHA5122feff093ce211e1e6068947a7f2bf0368d3d7ce36e52366f21f6c542e422c5e68b3536f8618c3c4c96133c10cb9ea588b55d32fe56052c4a5e7f81e67b937450
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg
Filesize3KB
MD5092dfc02d4a10ba133d8d32ec96f5a5f
SHA1e9aefa4fdc1d0494c8914c55f3f23debf02d2b7e
SHA2567079605fc6865f78b9ac9d6ff2c8611fa0804213adf9f628cd065e8df92eb89c
SHA512694f47c6cd12c070e68e82f74cdd4d3e233bcfb9d4bc2d757cb81a2a67c46c29095f078917681ccb327e3c03f577f280e33d697b5f4ffa4a40b8cd51cacb60bf
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg
Filesize5KB
MD56ca80853ad63c3339a3e86f0032c366a
SHA1f289a7affb66e23f21261f21b603f386d72c86fd
SHA25658b2aa242e7c29fa3369b83ad415d3fc309c761c2ea47506a692886f4e58ae52
SHA512a26f9c0c0f2d11826985672ef4333177664601c31a81cc3bcb4ca99bb0e1837d991983ab8685f222777375cd58a53a086cd8f0b3d5e42e41ce70260470359674
-
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml
Filesize247KB
MD5a872098140c349bda5a42936de3c4a7d
SHA1d1f4923183c746b1f42e2906973d0b461d177570
SHA256132d6d5bfbec90d71a799d84873f229b3c814cd3d3e272f18fd1bd9c107b39b3
SHA51292885a56ca9d086369e929e174b24bf29d584e6b1ece54a1b9ed709dbf2c519fe17bd927c5fa396ac403461a272da2743995a97cab5eb8e5e9a7850f69916906
-
Filesize
807B
MD55f82b0c82bdad0e11e88f51f05355f7d
SHA1580947de3df7699d7dbe92ebad7843b51c3f3856
SHA2566c95514629cd959497f67c94218163202d04c73dbef409f9b14a8826228ba925
SHA512d0ecb309b1fa4bc6ab5de4985deb1661304993991a37b2987cac1dfe40074f2596e07dc756f043a8d67eac5e4dfc587b784edfa06432bd111158fc19c4099c8b
-
Filesize
806B
MD5748a8d140d5194966a250e950d40f441
SHA1bb586c7edc77bd3887c7e446358c11e4e97174ab
SHA256e6cbc3509610aa7c637d7d4f83c54be92a918ff4d65fcebea5a1201c1526c57f
SHA512aef089ce611126d81c85127ac2df2cc981f7b46978b162e391966902f154e8a876fc4d93468e14add06fffaf75506f767205163574ad4efe46c5431ab506c26e
-
Filesize
317B
MD55a0b4dd3d8f6fdf54103fd0001816f63
SHA1a988ebbe0d7c2c876680defbd253b1975457fc7d
SHA256f3f39acd473189ab9295d2dcf2e6197ba0ab850a82c4aa1ade5592ce1892c38a
SHA5126bd930896090b729ba992d21481c200cde2177a9dbcd5b7444356d694557f5ee518264f232fff6316fe6f824c1e107c54c330e3823e9f811a39e36f5c0b30d12
-
Filesize
21KB
MD582c6ac5e46c85206837e131eddfddd83
SHA1034737421748e5bfafd4e854534f3ad9fc9770c7
SHA25655cf8a93e707fb1962dcc46766d7c5f0f71b64f332a6117118f94d7cb95ff322
SHA512914b0c8f1d06e3b0b8c00bda75f227ed3864d048c2f69f0a331cbecef925ce68705afc53cdd041e430ccda931fd2605f5dc579ffe8beaa0acffdf4c51b162eb1
-
Filesize
8KB
MD5bbef149c3dcde06a394ba512422af3a9
SHA134b0e982f4d5d731de39b322d4824b6af6472627
SHA256f4097368dc6b67514f2991640d563bb52fc01c7fcda1c29566b9ed7208954cd2
SHA512595989ecf2d2bea0939dbf57faaa3bfb690166c17fb1d1da27b58871d54b3209d71c6e5489e983e5d6d3ad05fd97bf847a6e11bc9cbc9fcfc9535818b07e08be
-
Filesize
1KB
MD59ceb184e2a266d3bd7ee49d69f60c0b1
SHA185d584f08463901541033025c42cdc2d718f0bf6
SHA256b7e00794735ca81c2966cc03e93b5880504c98764ad9af3bd273c48c684218c5
SHA512f9f46dad610a9b033300c22a8373d30165cdfb3175800c4837232f98c6fbcc843b8666b6c3ae313931457b0576b1891cd3a2f9437aa68933d70d52a3751463b6
-
Filesize
49B
MD5bd6fc9ca96698344936b22ccef4ba428
SHA149fc5c771601ed5e3897908cf8b83b546821a6be
SHA2561003f1a53667e28e7952335498bdedd3377eae435189df01235b6602a5654823
SHA512095c01770b4f4e9f9fcb29c0ce290043f5c1de9c7b9767e7dd889aa25f3c103ac2dc8de5258a639aea477f649aaeb14687767a9912d6326503019369a1ed8ba6
-
Filesize
8KB
MD5546aaf9ef3bd5a5d57584730e8aa12da
SHA1009188fede09461fdeb7b7138bd47b4bce60a6c2
SHA256fdd0d7552e874aa61d24a097fd9c297616d4e0ef684906a17c8c9425bed52c00
SHA5125d6fd8a6332055afa3fcbc74a08638184bd322fc0d3da5180314438a6eb6e120b5d09c9fa0b89cea949a562522b16b9b7d49fa9a30438f0501a589c1d2f7bd2c
