a6a476967e7e02a0611a06f96f41be34761e69b28fe865bcd96cf5678ebb555a

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
Size

2.6MB
MD5

6ee693630cc91533c69b9994a9886b8d
SHA1

abf9746e2e79b3160cd3e442bc52dd7b52c36e7f
SHA256

a6a476967e7e02a0611a06f96f41be34761e69b28fe865bcd96cf5678ebb555a
SHA512

008ea84e6e9dfee64fade8a00c07c0d360f39941cb6fb196f0c6f93a6e0dd9e8590fbfb90d9c20f6bd811ad48792136ae5c84a47674b8e37d0d49ebd28db5a2c
SSDEEP

24576:IVYbWzOLA80yE23Z5EU22lH1QnxBxabsM8KGH7Co0OLeGrIocE5lArjPPA:hWzOIyrZOU22lcx08KGbNLeGMb4unA

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\ja-JP\SystemOperating.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\SystemOperating.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\Operatingafunix.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Operatingafunix.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\WindowsSystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\WindowsSystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mIRCmirc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe"	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\mIRCmirc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe"	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\hu-HU\opercisrendszer5.82.160101.0800.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvg63a.inf_amd64_9f5493180b1252cf\AdapterVelocity.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tsusbhub.inf_amd64_bd91a147ab4ebf1c\tsusbhubSystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\it\AppVSistema.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zh-TW\WindowsXaml.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migration\es-ES\mircmIRC6.34.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\XPSViewer\ja-JP\FrameworkMicrosoftR.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\RCXE2BA.tmp	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ko-KR\OperatingXaml.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\it-IT\wmicWindows.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbnet.inf_amd64_9e6bb7a4b7338267\usbnetOperating.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hpsamd.inf_amd64_0784fd3ef0d7ec93\hpsamdController.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ja\AuthFWSnapinresources10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\fr\WindowsMicrosoft10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\POWERSHELLPowerShell.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PerceptionSimulation\SystemWindows.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PerceptionSimulation\SystemWindows.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\fr\mircmIRC.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hr-HR\WindowsWindows10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\iastorav.inf_amd64_87f761c07c99d5e7\TechnologyIntelR.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\ja\resourcesSystem10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\ja\WindowsSystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dism\OperatingDismProvPS.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\sdbus.inf_amd64_55c0c78952233d0c\dumpsddumpsd.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\F12\uk-UA\F12Platform2F12Chooser.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en\Windowsresources.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_avrcptransport.inf_amd64_6506aa4ac05430d7\MicrosoftBluetooth.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hr-HR\mIRCmirc.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\ja\WindowsAppVClientPowerShell.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Com\en-US\SystemOperating.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dism\ja-JP\WindowsWindows10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\th-TH\QuickAssistCOMCTL32.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tr-TR\COMCTL32QuickAssist.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Com\de-DE\mircmIRC.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\ja\WindowsAppVClientPowerShell.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwlv64.inf_amd64_0b9818131664d91e\netwlv64netwlv64.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech\Engines\SR\Operatingspsrx.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hu-HU\opercisrendszer5.82.160101.0800.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\defaulthelpdexploitation.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\defaulthelpdexploitation.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsClient\dnslookupMicrosoft.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\lv-LV\mircmIRC.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\intelta.inf_amd64_ba962d801a22973c\inteltaMicrosoft.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\idtsec.inf_amd64_9321d33f1997dbfd\idtsecMicrosoft10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\OperatingWindows.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lt-LT\WindowsSystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sv-SE\mircmirc.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Com\de-DE\mircmIRC.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\F12\de-DE\F12Platform2F12Script.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wsdprint.inf_amd64_b616bed30e8928ca\Microsoftwsdprint.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\es-MX\WindowsSyncRes10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\fr\resourcesWindows10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\F12\fr-FR\F12ScriptInternet.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEKR\APPLETS\imkrcacWindows.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wdmvsc.inf_amd64_8666ee4da6ad6325\Microsoftdmvsc.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\fdc.inf_amd64_7534987814b257b2\SystemOperating.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_7a30f5a9441cd55b\RealtekAdapters.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\Operatingusbport.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lv-LV\mircmIRC.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\en\Windowsresources.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwbw02.inf_amd64_1c4077fa004e73b4\Intelnetwbw02.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migration\en-US\SxsMigPluginWindows.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Com\de-DE\MicrosoftMIGREGDB10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\Operatingwmprph.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\ExtensibilityVisual7.00.9466.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\OperatingSystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\PowerShellPackageManagement.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\MicrosoftMicrosoft.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\OperatingSystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\it-IT\SistemaWAB32res.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\de-DE\WindowsMicrosoft.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\NPPDF32Adobe.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\ieinstalieinstal.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\en-US\SystemMicrosoft.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\WindowsSystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\NPPDF32Adobe.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\SystemOperating.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VisualVSTOInstaller.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcqWindows10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\AdobeAcrobat.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\PowerShellresources10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\Registrationjaureg.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javawmIRC.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\ieinstalieinstal.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\ado\es-ES\SystemMicrosoft.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\WindowsEppManifest.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\Windowsoperativo.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\WindowsSystme10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\SystmeSystme.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\FlashAdobe.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewerPhotoViewer10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFrameworkSpeech.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\OperatingSystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipTsfRTSCom.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\Microsoftextexport.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\WindowsWindows.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Windowssqmapi.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\systemSTLCLR.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\WindowsImagingDevices.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\ieinstaliexplore.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ja-JP\WindowsWindows.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCXDDCE.tmp	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCXE3DB.tmp	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\Install\{1E8F5DDF-3FB3-4332-A4CC-B46FF6E6899A}\ChromeGoogle.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\iexploreieinstal.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPluginAdobeHunspellPlugin.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\uk-UA\WindowsWindows10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAiod.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\SystemWindows.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\ieinstaliexplore.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\FlashAdobe.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\wordpadWindows.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\ieinstalExplorer.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\en-US\SystemMicrosoft.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\AdobeAcrobat.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\uk-UA\wmplayerWindows.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\en-US\MicrosoftWindows10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewerMicrosoft.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClientresources.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\iexploreieinstal.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXE06F.tmp	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\MicrosoftInstaller92.0.902.67.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1E8F5DDF-3FB3-4332-A4CC-B46FF6E6899A}\ChromeGoogle.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\SystemWindows.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\MicrosoftVisual.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\FrameworkData.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\ExplorerInternet.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_en_31bf3856ad364e35\PowerShellWindows6.1.7600.16385.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_system.addin.contract_b03f5f7f11d50a3a_4.0.15805.0_none_fe9fd1cf392dd3c8\AddInFramework502.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..dlinetool.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_66f05272ab527309\MicrosoftSystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-cleanmgr_31bf3856ad364e35_10.0.19041.1266_none_ec5eb439471de957\OperatingWindows.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..ectortool.resources_31bf3856ad364e35_10.0.19041.1_it-it_b85d4aee59c7ac79\Microsoftbootsect.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-rasppp-noneap_31bf3856ad364e35_10.0.19041.1_none_d7f92ac8282fff75\MicrosoftOperating.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nshhttp.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_44349a789430b083\nshhttpOperating.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wordpad_31bf3856ad364e35_10.0.19041.1_none_ee00310940a3cd37\WordpadFilterWindows.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-t..cognition.resources_31bf3856ad364e35_10.0.19041.1_it-it_c45c04cdd763fd5f\mshwLatinMicrosoft.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ortedlanguage_es-es_31bf3856ad364e35_10.0.19041.1_none_e9230ef19706b3aa\OperatingSpDeskRs.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_dual_net8187se64.inf_31bf3856ad364e35_10.0.19041.1_none_c64b5602653e7b30\RTL8187Snet8187se64.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-msmq-admin_31bf3856ad364e35_10.0.19041.1_none_6d3f0f21dcc9eb31\MQSNAPOperating.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..providers.resources_31bf3856ad364e35_10.0.19041.1_it-it_577ffd5619b6caf4\SistemaSistema.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rasbase-rascustom_31bf3856ad364e35_10.0.19041.1_none_af0e92dd5c143c86\MicrosoftOperating10.0.19041.1.160101.0800.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_netfx4-system_web_tlb_b03f5f7f11d50a3a_4.0.15805.0_none_d768e524791719da\SystemSystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\resourcesSystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ointofservice-winrt_31bf3856ad364e35_10.0.19041.264_none_5076ad26f4a53328\OperatingSystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..k-msctfui.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_99555e01455b4176\MicrosoftWindows10.0.19041.1.160101.0800.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..ibinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_5984c0487c619dca\Servicesiisfcgi.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..l-library.resources_31bf3856ad364e35_10.0.19041.1_es-es_41fee2bbdeb0ad8e\WindowsWinBioDataModel.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..honyinteractiveuser_31bf3856ad364e35_10.0.19041.906_none_a6600355b5f69459\WindowsOperating.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..ion-winrt.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_dbee9ffd9803038e\WindowsMicrosoft.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b641f2883587d6aa\WindowsSystme10.0.19041.1.160101.0800.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..up-prompt.resources_31bf3856ad364e35_10.0.19041.1_en-us_11eb82df9538735b\MicrosoftOperating.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.Resources\2.0.0.0_es_b03f5f7f11d50a3a\Microsoftresources.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_multipoint-logcollector.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_1b6bb3fa209efd77\WindowsLogCollector.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-eventviewer.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_13bc0b8bfacd640b\SystemMicrosoft.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-f..mutilityrefslibrary_31bf3856ad364e35_10.0.19041.1202_none_7b0dac7c38adc992\OperatingMicrosoft.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_dual_netrtl64.inf_31bf3856ad364e35_10.0.19041.1_none_3519a95140eb0db0\RealtekRtnic64.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-at.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_44d33a865e6eb6e7\OperatingSystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ipmiprovider.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5c0c7b44a3baf3d3\Microsoftipmiprr.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..dcredentialprovider_31bf3856ad364e35_10.0.19041.1202_none_b6cad1a377c3a8fd\OperatingWindows10.0.19041.1202.160101.0800.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_10.0.19041.1_es-mx_b0ff32074d74c45f\SistemaWindows.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\MicrosoftSystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_microsoft.managementconsole.resources_31bf3856ad364e35_10.0.19041.1_it-it_e917e4dcfecba1d9\resourcesresources.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-l..nguageoverlayserver_31bf3856ad364e35_10.0.19041.746_none_240e8eeacc14c9dd\OperatingWindows10.0.19041.746.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.Resources\v4.0_3.0.0.0_de_31bf3856ad364e35\resourcesBetriebssystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..atahelper.resources_31bf3856ad364e35_10.0.19041.1_it-it_77ab917e7f59754b\Sistemaoperativo10.0.19041.1.160101.0800.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..ty-client.resources_31bf3856ad364e35_10.0.19041.1_en-us_009b75f57c630da0\MicrosoftWindows.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..neservice.resources_31bf3856ad364e35_10.0.19041.1_en-us_4f17500843847e14\PhoneServiceResOperating.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_netfx35linq-system.addin.contract_31bf3856ad364e35_10.0.19041.1_none_ddec2ac2dca0e1a1\AddInSystem3.5.30729.9141.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics.resources\v4.0_4.0.0.0_it_b77a5c561934e089\resourcesresources.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_presentationcore.resources_31bf3856ad364e35_4.0.15805.0_es-es_3f983b20eb2d713c\MicrosoftFramework.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_10.0.19041.1_en-us_68ce1881981b1956\tipresxOperating.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-van.resources_31bf3856ad364e35_10.0.19041.1_de-de_88100facd1db2a9d\WindowsMicrosoft10.0.19041.1.160101.0800.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_system.web.routing.resources_31bf3856ad364e35_4.0.15805.0_it-it_a7193fafe12cd5f4\resourcesRouting.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..codec-dll.resources_31bf3856ad364e35_10.0.19041.1_en-us_41caac310a838eed\MicrosoftWindows10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..otifications-client_31bf3856ad364e35_10.0.19041.746_none_d7e4d92ce9da62c9\WpnClientMicrosoft.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_microsoft.powershel..anagement.resources_31bf3856ad364e35_10.0.19041.1_en-us_9e90585cfbb93b34\PowerShellWindows.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_42c40066635bb9e0\COMCTL32Microsoft10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ice-transliteration_31bf3856ad364e35_10.0.19041.1_none_0e9e0cd3c62b4e74\Microsoftelstrans.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-getmac.resources_31bf3856ad364e35_10.0.19041.1_de-de_c60b513e4d44b9fc\WindowsGetMac.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..lperclass.resources_31bf3856ad364e35_10.0.19041.1_en-us_177f01d72ecabf32\dot3HCMicrosoft10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bits-client-proxy_31bf3856ad364e35_10.0.19041.1_none_1cbaa9fb561322c2\qmgrprxySystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-uxtheme.resources_31bf3856ad364e35_10.0.19041.1_de-de_232036f0f7255c29\WindowsMicrosoft.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..iprovider.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_c0da82259fe81055\vdswmiSystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rasplap-mui.resources_31bf3856ad364e35_10.0.19041.1_it-it_d2fcb7ef4cade79e\RasCredProvRASCREDPROV10.0.19041.1.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\ManagementSystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-cdp-winrt_31bf3856ad364e35_10.0.19041.264_none_418e6cba5274383c\OperatingSystem.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\aspnet_regsql.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\resourcesaspnetregsql.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ncrypt.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_aebb5639b31be78c\WindowsSystem10.0.19041.1.160101.0800.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_netfx4-ngentask_exe_b03f5f7f11d50a3a_4.0.15805.0_none_1bb0d4ac7da3bfe1\FrameworkNGenTask.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-ngc-isocontainer_31bf3856ad364e35_10.0.19041.153_none_6a97ec40c088e7ad\SystemNgcIsoCtnr.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_microsoft.backgroun..transfer.management_31bf3856ad364e35_10.0.19041.1_none_ebccaf368c37409c\SystemWindows.exe	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3016	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
3016	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
3016	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
3016	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
3016	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
3016	6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6ee693630cc91533c69b9994a9886b8d_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\LinkLibrary.exe

Filesize
2.6MB

MD5
6ee693630cc91533c69b9994a9886b8d

SHA1
abf9746e2e79b3160cd3e442bc52dd7b52c36e7f

SHA256
a6a476967e7e02a0611a06f96f41be34761e69b28fe865bcd96cf5678ebb555a

SHA512
008ea84e6e9dfee64fade8a00c07c0d360f39941cb6fb196f0c6f93a6e0dd9e8590fbfb90d9c20f6bd811ad48792136ae5c84a47674b8e37d0d49ebd28db5a2c

Download Submit