e593a473ce7a0d4d255f21082f2526dc4aeca3203e908cb5ab7d929e205bc88d

Analysis

max time kernel
44s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
Size

96KB
MD5

a049d5d690915345f7c30672a058dc8a
SHA1

df39a4a9d358fea2796dc5ba790c3a364fcedf60
SHA256

e593a473ce7a0d4d255f21082f2526dc4aeca3203e908cb5ab7d929e205bc88d
SHA512

7322742234cd60826ba7c5096a56d472ea949ab09ce649aa11aabeac08a20bd01c0e63c05afa1ee51167e86d6cb42384732a353d9cb4506cf160232680745890
SSDEEP

1536:jOh8gXbX075M2V2f+ffGQzRbtFO2616is:Y/Lk75M2V2fS+Qtbt4

Score

9^/10

discovery persistence ransomware spyware stealer

Malware Config

Signatures

Renames multiple (643) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81GjVbePNt0iBY9.exe"	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_WS-Management_Cmdlets.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_modules.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_providers.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_transactions.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions_cmdletbindingattribute.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Parsing.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_profiles.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_try_catch_finally.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_transactions.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_format.ps1xml.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_hash_tables.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions_advanced_methods.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_troubleshooting.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_join.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Quoting_Rules.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_output.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_split.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_trap.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Signing.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_types.ps1xml.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_escape_characters.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_operators.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_types.ps1xml.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_CommonParameters.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_scopes.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_CommonParameters.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_execution_policies.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_advanced_methods.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Command_Syntax.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_trap.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions_advanced_methods.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_regular_expressions.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_FAQ.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Foreach.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_methods.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_jobs.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_WMI_Cmdlets.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Windows_PowerShell_2.0.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_arrays.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Break.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\erofflps.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_logical_operators.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_trap.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_wildcards.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_try_catch_finally.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_eventlogs.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_methods.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Ref.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Session_Configurations.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Variables.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_environment_variables.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced_methods.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced_parameters.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\erofflps.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_scopes.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Quoting_Rules.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions_advanced_parameters.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_do.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Continue.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\erofflps.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Comment_Based_Help.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced_parameters.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_jobs.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\THMBNAIL.PNG	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AboutBox.zip	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\THMBNAIL.PNG	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)notConnectedStateIcon.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\notConnectedStateIcon.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-vertical.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPG	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\THMBNAIL.PNG	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\notConnectedStateIcon.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_snow.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\THMBNAIL.PNG	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\logo.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\Xusage.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_s.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\THMBNAIL.PNG	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous_partly-cloudy.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_PSSnapins.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\tile16.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\drag.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_btn-previous-static.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..yle-specialoccasion_31bf3856ad364e35_6.1.7600.16385_none_01242a21ddccaf3b\NavigationLeft_ButtonGraphic.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Windows_PowerShell_ISE.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_debuggers.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_prompts.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_requires.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\circleround_videoinset.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\NavigationLeft_ButtonGraphic.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_functions_advanced_parameters.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_modules.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_679a6ba79b07a3c0\add_down.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\30.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\passport.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_WMI_Cmdlets.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Foreach.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\Chrysanthemum.jpg	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Line_Editing.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_725857cf41f74c3f\settings_right_rest.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_679a6ba79b07a3c0\base-undocked-4.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\Circle_SelectionSubpictureB.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_debuggers.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_While.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\blank.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked-loading.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\btn_search_up.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\TitleButtonSubpicture.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Parsing.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\img26.jpg	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_remote_troubleshooting.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_environment_variables.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_escape_characters.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..sc-style-rectangles_31bf3856ad364e35_6.1.7600.16385_none_258f1924c482b7a1\NavigationLeft_ButtonGraphic.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\img14.jpg	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_remote_output.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\trad_dot.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\diner_dot.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-push_31bf3856ad364e35_6.1.7600.16385_none_cc073ae540855a07\NavigationRight_SelectionSubpicture.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_pipelines.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\undocked_black_thunderstorm.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Return.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_For.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_c3b9072b536514f6\add_down.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_try_catch_finally.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_725857cf41f74c3f\2.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\btn_search_up.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\16to9Squareframe_SelectionSubpicture.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_functions_advanced_parameters.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Throw.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\24.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\ehshellLogo.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\modern_m.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\novelty_m.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\3.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-push_31bf3856ad364e35_6.1.7600.16385_none_cc073ae540855a07\push.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\img25.jpg	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_types.ps1xml.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_debuggers.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_WS-Management_Cmdlets.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_functions_advanced.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_History.help.txt	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\play-background.png	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JXJQWHOTJOGYETE\ = "CRYPTED!"	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JXJQWHOTJOGYETE\DefaultIcon	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JXJQWHOTJOGYETE\shell	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "JXJQWHOTJOGYETE"	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JXJQWHOTJOGYETE	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JXJQWHOTJOGYETE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81GjVbePNt0iBY9.exe,0"	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JXJQWHOTJOGYETE\shell\open\command	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JXJQWHOTJOGYETE\shell\open	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JXJQWHOTJOGYETE\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81GjVbePNt0iBY9.exe"	a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a049d5d690915345f7c30672a058dc8a_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
7fa2a02c2c1699330fdd2b01829424be

SHA1
52e7983b01bb82c20d902e428377c870561c9d06

SHA256
8391a2e106085d21ce7803f08c05d8c86c5fc1034cc0a9ad196e5f22fd5b0e50

SHA512
21bac50e490eb017cf0875ec5c5bce662ce36c97592a7f52c008b885ca61f8478ddf468e0bc692d4c553c02711b594ccc1ad93d054de99ea338fe2ea262bc63f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
754ceb8f2ad9e9de7a98a60dce03cd2d

SHA1
905640db439cf27871d722ca8647b50e21b7f972

SHA256
68cea62c3de690f94503db839a5f288c08d4cbd7dda6181660ced567c098ad6e

SHA512
a087fca7750581232855de9093d3bfe99aad10fe221071e9b64ad0b33ff6346d5db4cb9882d19d3ba690c25f2b93bb3539285792ada3fcd2b3d17f811c3054ec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
e560f3a02a4c1cb5ce5af799deb33584

SHA1
25b3da07d67dac0be81ce1715ba8bd63574516c2

SHA256
d0b40a9e6067adc340a8ae3f0422ca513e261eed6dc9b92b0dc3e6ec94830438

SHA512
eaf8fb6aec5f5236c5e078327ba8747c400a9ad47cdafdc0fd658c2475bf22b89d44ee8f27c360d25662a54945bbc9ffeae47bc671744423e4c1771867f1e418

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
313c7a4643a0048f455cdab6e971b70a

SHA1
14309dc219c5dedd3f17a8bd72144cccd384f9da

SHA256
3a8b8570c76bbeb9a50564756e3c50597068235f7723a7f211f9d3e15ef3955b

SHA512
7ffd6e8edd2aa271386ea1cb72b2ced9a182d32e3cd299bb06876ac054b529677d90e6c04a2e4370f0d6e577d444072592b8cc96cb4cb3980e95745c0fbad211

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
bcaa63c30380c92c373c591124ddff0e

SHA1
8a48287df78c7f84452fd1c68fa6985664c4980b

SHA256
a2052fe76bab5defbf4d7955175164a398844da028fbfb88ea84f896a01bd0dd

SHA512
95eee86c7768a0c0e92829285bab031f01ca5ea0e7fc461b16f4c72b6889d1703c6b6afc44dc7aa9f0516a4d6e9998a175e24c045145b89cde35c8fecab2fe20

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
ac1e562ec8567de7aa21424714dbd3af

SHA1
be71c90d7da448feb0b96f32f57372db8000499a

SHA256
be12741f48efe2e7677837b1b9e60bda6f9db21bcc6f6ffd4f8ff722e5959fa8

SHA512
24e0cec4af14e76b991aa7c05b277ca0d0e1039ef429b355addfc990964b4bb784092e0d27d82eaf44a9e86ea4ebaef50698d84368ba40a0d251d5e108b244cf

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
361995fc874e3ebbe9597461af955755

SHA1
e7494d2db0ee477110559c5603c94f83f5781535

SHA256
2df9ed0d8e19e5ae0a4cfd58eea54e38f043bab78c1ea8276e2fe4ff8e880470

SHA512
46c0e0cf28f32db474c988641993ec7e5cd463b8424897a90ba8e8ed0266fa67c6b9da3fec659a2d9d98d14438e29e8fbc15fb1b349ece812d482e28a388fc30

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
edda91b246d82df280ae7dbad7709c70

SHA1
3fd6a39ce0a06ca3e65cf453b34b4dea141c1f83

SHA256
8c2c958ecb7e3ae1645489fcb97148d99d81e76f7bc894f5d0282f928c61399e

SHA512
f45e36434d5fd0c11cc96ab2f967671b48c274d41497380e131f96bca440d00ab289508408353453c8d6f976cec735a30c20268b5c5cc45214c2fe80ef0cdea0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
a4dc5ebe45f42cecd6a21f522ea6a3d1

SHA1
3298e93098e9d8e88cb5c07a99bcc18de2ef0ab2

SHA256
c20a6071059a0e0f67ab55991448bb7a364b008d5d8b5a3889a46f2959d9e3a5

SHA512
2084be2872118ec7c4296e50945090909a9e8d1548337e3ebe612c7006b9928fe2a1f72240fc28d75e313b81d17cc6221297bcf220b949c59b2a9b2b8719f104

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
7383755058e0cd2a01bb411c165cde58

SHA1
c30dedb05a35afd7e03b682f6d9a0ad16a9c7201

SHA256
b972016874d51a812bc675aca085bcb08e460e09c58fcdaf70243387bca44dc1

SHA512
6d17962bc334e869c937727cbf4d29d95359f259733f38263ef7881cba0207de6c534c6b0a947803b5b1ec192f904134708731191b647a7ceb7b9b192846e1f2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
690aead534cd824f57fab35b1193a777

SHA1
9f87b9d594454aed0d9e3627cf5e6352675871ed

SHA256
900b9c9eaac551d937b0b6322bea29561da31422ee955b22c52c45bbc8ac326a

SHA512
f3cadb755eb51c32ab212f7ba7eb428ec13ec5d72bfe7ba45cdbd4974491d0cf8fde0d348a3faaec8aa6043580bcbedc200008d9fabe09c3a20ec8429e04c61e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads