65fc86c4ce308b644af6121a6c505ebff7c7532770cd46f9cd9bd8fb391bfd51

Analysis

max time kernel
92s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
Size

30KB
MD5

ec5ca5e4aafd66caa4a4c5458b765cf2
SHA1

492e3c7936aeed14b73735a9f34a3fc94730d755
SHA256

65fc86c4ce308b644af6121a6c505ebff7c7532770cd46f9cd9bd8fb391bfd51
SHA512

a82844f4a05fcdc5172604564e2948a7276dd6cb0c08b18e645430320596cd64f87371bae47ecd2d0849d30f177465b4c48f4b8741c1771c8cc0e90725af821c
SSDEEP

384:mebFNw4Pk1itKkpAjjI2YpdmCLv/0WrZFs+vKprIXUdKdeK2SC5Vfv:m0FmBkpKjPYp7vPr7s4Kpr2deK2Nb

Score

8^/10

discovery persistence ransomware spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\uk-UA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0Da3N2xFp6Xv267.exe"	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\bda.inf_amd64_d32fe6b1c2b7b2a5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_d823e3edc27ae17c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmscli.inf_amd64_b39ea5f4658998de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech\Engines\SR\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Configuration\BaseRegistration\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Configuration\Registration\MSFT_FileDirectoryConfiguration\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tpmvsc.inf_amd64_9b03a5f041e8d2b2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech\Common\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migration\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmetech.inf_amd64_bbd46500a9d0e020\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmagm64.inf_amd64_7f60bc7ff484a292\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgen.inf_amd64_977aa23dfab87f15\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\oobe\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech\Common\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmotou.inf_amd64_8370fa408706074c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\001f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech\Engines\SR\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\fr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrm\0C0A\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_sas3i.inf_amd64_79c7a4d8be0a9744\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmusrgl.inf_amd64_19bd1d6c2b642b6f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\scunknown.inf_amd64_90993a57907d9959\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\LogFiles\Scm\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmjf56e.inf_amd64_07bca0bfd5173050\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_b06c3bc32f7db374\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\eaphost.inf_amd64_d37080dfb66d830b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\flpydisk.inf_amd64_acb1691126c93472\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ialpss2i_gpio2_cnl.inf_amd64_a60833fda31e9831\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ialpss2i_i2c_skl.inf_amd64_9d9dbb01837eba23\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\amdgpio2.inf_amd64_808fe94735c4c6b3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Configuration\BaseRegistration\uk-UA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_cdrom.inf_amd64_f08f2fe1cde58aef\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_magneticstripereader.inf_amd64_86e291110e37418b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmbus.inf_amd64_a192dbf28b4634a7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\el-GR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XPSViewer\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dism\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj7.inf_amd64_161e1375bcff85d9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmvdot.inf_amd64_04863374c9db2052\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\SHARED\res\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0003\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dism\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_usb.inf_amd64_17c270ca25f45542\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtexas.inf_amd64_ed0ab85128ed7a01\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\sdbus.inf_amd64_55c0c78952233d0c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\xml\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cmbatt.inf_amd64_554d46f6008bc631\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl006.inf_amd64_130cd40b355024c9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgsm.inf_amd64_d7b1959484ec8228\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\Volume\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wdma_usb.inf_amd64_e879d41db6fd1ab8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hkkmppbeggjmooll.bmp"	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactNative\Tracing\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\Windows Defender\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\fonts\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a673a811fe1122c1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ci-wldp-dll_31bf3856ad364e35_10.0.19041.662_none_7d38bfcd1db751da\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\PresentationUI.Resources\3.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-fodhelper-ux.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0281884e322425b8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..statement.resources_31bf3856ad364e35_10.0.19041.1_it-it_72cd48c0670b4651\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mapcontrol.resources_31bf3856ad364e35_10.0.19041.1_de-de_8ab0e8e19f0996be\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_microsoft.powershel..ctivities.resources_31bf3856ad364e35_10.0.19041.1_it-it_2aaa0a482ebd8313\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b04a9ba801ea7788\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-gdi32_31bf3856ad364e35_10.0.19041.1_none_19c461d21d0fd3e1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_10.0.19041.1288_none_09bb3dbe72898e4d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-e..ardplugin.resources_31bf3856ad364e35_10.0.19041.1_it-it_9305c0b27100793f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..ation-net.resources_31bf3856ad364e35_10.0.19041.1_it-it_e01c215223d87c9c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..onal-keyboard-kbdcr_31bf3856ad364e35_10.0.19041.1_none_370722b5ed6a7207\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\diagnostics\system\WindowsUpdate\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-analog-voice-adapters_31bf3856ad364e35_10.0.19041.746_none_823c8098c95ed03d\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..t-resources-mrmcore_31bf3856ad364e35_10.0.19041.264_none_c9604b1dc0c642f9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..e_iassvcs.resources_31bf3856ad364e35_10.0.19041.1_es-es_a6866d0b320f1d2d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..ket-win32.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_ac48efd542e80e9a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-setup-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_50f51366663a831c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-smbserver-powershell_31bf3856ad364e35_10.0.19041.1_none_12fcd173608a3b6a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_scsidev.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_8f35ddff6eb4d994\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..agnostics.resources_31bf3856ad364e35_10.0.19041.1_de-de_f94a73b165ea4cf8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-onecoreuap-rastls_31bf3856ad364e35_10.0.19041.1081_none_a30d40b790064397\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-statemanager.resources_31bf3856ad364e35_10.0.19041.1_en-us_36d1a55a2be58c8a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..honeservice-desktop_31bf3856ad364e35_10.0.19041.746_none_0675f86f015a9e94\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..tionuxexe.resources_31bf3856ad364e35_10.0.19041.1_es-es_fa3b5e2d50491262\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_windows-applicationmodel_31bf3856ad364e35_10.0.19041.264_none_ffe742d1fdbcaf8c\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_ddores.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_412d4785cd877244\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_hidscanner.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_1d66074e17d6cca4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-u..itefilter.resources_31bf3856ad364e35_10.0.19041.1_es-es_f73f3d05b3794e32\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..etoolsgui.resources_31bf3856ad364e35_10.0.19041.1_es-es_0b45fc51e33f369b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-perceptionapi-stub_31bf3856ad364e35_10.0.19041.1023_none_f01fe2bd09cb41aa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_ru-ru_f212f1ebceb5ba45\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\diagnostics\system\Device\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_dual_rtux64w10.inf_31bf3856ad364e35_10.0.19041.1_none_1d98d45a56548a3e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1_none_3c360c9e8a3e64cb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mup.resources_31bf3856ad364e35_10.0.19041.1_it-it_22f02320409b54f3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sud_31bf3856ad364e35_10.0.19041.1_none_5d970245fb47b0e9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_system.componentmod..istration.resources_b77a5c561934e089_4.0.15805.0_es-es_8c6e5d36069f2983\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_en-us_2407d4644e9a741d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Dtc.Resources\3.0.0.0_it_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_intelpmax.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_7bb5a0cd2e687cbf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.19041.1_pl-pl_18031d2fa36af55c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-r..eelevated.resources_31bf3856ad364e35_10.0.19041.1_en-us_47b2ef00764d8c40\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-searchfolder-library_31bf3856ad364e35_10.0.19041.1266_none_0499e0f02267f631\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-onex.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_bf8a725a082c584c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-update-orchestratorapi_31bf3856ad364e35_10.0.19041.1266_none_b8c61cc731c84774\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft.powershel..resources.resources_31bf3856ad364e35_10.0.19041.1_es-es_41dcd20a820bff35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\sysglobl.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_1394.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_477c436b7e831d73\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-windowmanagement_31bf3856ad364e35_10.0.19041.264_none_3108689b2f24e931\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_netfx-config_files_.._regsvcs_exe_config_31bf3856ad364e35_10.0.19041.1_none_b343d1416fbbbb9c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..texplorer.resources_31bf3856ad364e35_11.0.19041.1_it-it_b419c49c2927b83b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..anagement.resources_31bf3856ad364e35_10.0.19041.1_it-it_57478633ac8ed592\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..icysnapin.resources_31bf3856ad364e35_10.0.19041.1_de-de_f17dd476303da480\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-com-dtc-setup_31bf3856ad364e35_10.0.19041.746_none_76199c1c412ad571\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-p..ommunicationsupport_31bf3856ad364e35_10.0.19041.1_none_db31cc6ec76cd60f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_netfx-ngen_exe_b03f5f7f11d50a3a_10.0.19041.1_none_f0f8491ec727a0ee\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_wpdmtp.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_84acdc519efa1529\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_wsdapi.resources_31bf3856ad364e35_10.0.19041.1_de-de_2839f83915e9ff0a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_aspnetmmcext.resources_b03f5f7f11d50a3a_10.0.19041.1_fr-fr_3704ba86617d8f09\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-msxml30_31bf3856ad364e35_10.0.19041.1_none_48b3f8706a946ab2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hYcsG\ = "NBLIWDNCXHILJFV"	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NBLIWDNCXHILJFV	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NBLIWDNCXHILJFV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0Da3N2xFp6Xv267.exe,0"	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NBLIWDNCXHILJFV\shell\open	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hYcsG	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NBLIWDNCXHILJFV\DefaultIcon	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NBLIWDNCXHILJFV\shell\open\command	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NBLIWDNCXHILJFV\shell	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NBLIWDNCXHILJFV\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0Da3N2xFp6Xv267.exe"	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NBLIWDNCXHILJFV\ = "CRYPTED!"	ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec5ca5e4aafd66caa4a4c5458b765cf2_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
395B

MD5
cc34d0b040f41bc538903ad351ea6e66

SHA1
47ddae9973f9ffebf5320d86189f8bb24e38ede7

SHA256
9bf248d49b9ddd35307457af659c1d9e42e9d926accbb93f9dd02ec14349bfbb

SHA512
bbe66e13232b1905edf22deb14c8ea824fca45d49c75882a54f8798b68644505614af7bab29b0f6b27424e6acc218fd50fc4af836f1fee4d93ef41f0235776ed

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads