Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 18:39
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe
Resource
win10v2004-20250502-en
General
-
Target
JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe
-
Size
771KB
-
MD5
1c7c823802cafdb7b2af675db978ec20
-
SHA1
ea1a3e01b3c8f2b0de588ec88d2a42e046b8eb1b
-
SHA256
4042d48fbecf63ed94a827b3737349bcc64bd335dff2771cdc80d44a19779f45
-
SHA512
eadab0a37d572d00099e4ddd629dec2922422a215476cc4b9c9e095893fd2c333a5478ae849580797d739f2e6e263e1cce184714d1962d05e396d37a862495d2
-
SSDEEP
12288:Z72mvyw+oxOml8bo2vNp0GUX8Jme6Zgj7X24QnbFrXwIG4fEYzj7qT+dLF+1:Z72Pw+oxyvdYZtRAIDfndM
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wbem\WMIADAP.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\where.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\auditpol.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\stordiag.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\userinit.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\certutil.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\control.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\dfrgui.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\NETSTAT.EXE JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\RdpSa.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\rundll32.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\shrpubw.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\taskkill.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\cmdkey.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\dllhost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\isoburn.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\TSTheme.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\Utilman.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\wbem\mofcomp.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\wbem\WinMgmt.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\GameBarPresenceWriter.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\help.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\label.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\mountvol.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\quickassist.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\UserAccountControlSettings.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\PATHPING.EXE JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\verifiergui.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\backgroundTaskHost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\OposHost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\scrnsave.scr JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\sdbinst.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\F12\IEChooser.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\print.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\psr.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\raserver.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\AtBroker.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\dvdplay.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\wbem\WMIC.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\CloudNotifications.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\getmac.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\mmgaserver.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\cleanmgr.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\fontdrvhost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\mspaint.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\reg.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\RunLegacyCPLElevated.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\attrib.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\CertEnrollCtrl.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\DpiScaling.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\dtdump.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\newdev.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\Taskmgr.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\Com\comrepl.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\Com\MigRegDB.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\logman.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\runas.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\user.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\wsmprovhost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\xwizard.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\Dism\DismHost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\pwahelper.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\pwahelper.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedgewebview2.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdate.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Windows NT\Accessories\wordpad.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdate.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\BHO\ie_to_edge_stub.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86781\java.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\cookie_exporter.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_click_helper.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateBroker.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-containers-ccg_31bf3856ad364e35_10.0.19041.844_none_3a7392af5414371e\CCG.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-secedit_31bf3856ad364e35_10.0.19041.1_none_64d83b9e511c141f\SecEdit.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\r\UNPUXHost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.1_none_ebe59bdc3d4ddc3f\FlashPlayerApp.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-d..omerfeedbackmanager_31bf3856ad364e35_10.0.19041.844_none_c47fb20821633815\imecfmui.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.173_none_f837263e7fdd508f\r\sppsvc.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-recover_31bf3856ad364e35_10.0.19041.1_none_3c045b5253f885ed\recover.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-m..-management-console_31bf3856ad364e35_10.0.19041.746_none_f7c1402f08d2457a\r\mmc.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1_none_b29cb2f3845833b7\UevTemplateConfigItemGenerator.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.264_none_5481650943811810\SpatialAudioLicenseSrv.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..-disposableclientvm_31bf3856ad364e35_10.0.19041.985_none_c3639a9e3ab1a351\f\WindowsSandboxClient.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..iondata-cmdlinetool_31bf3856ad364e35_10.0.19041.1_none_3e1c0a49448926c6\bcdedit.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.19041.1081_none_955497efbb030cb9\r\wermgr.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lua_31bf3856ad364e35_10.0.19041.1_none_5c3b6ab5fc28f1f3\consent.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..ebviewhost.appxmain_31bf3856ad364e35_10.0.19041.264_none_e85c49c0793f9f24\f\Win32WebViewHost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.1266_none_1abb9653828c3f41\f\SecurityHealthHost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-nbtstat_31bf3856ad364e35_10.0.19041.1_none_540191f5bdbc78d5\nbtstat.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\r\wksprt.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..ices-appcompattools_31bf3856ad364e35_10.0.19041.1_none_a9109d150b1bf064\acregl.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..-certificateinstall_31bf3856ad364e35_10.0.19041.1_none_efa641d58a943e71\dmcertinst.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\wksprt.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-com-complus-setup_31bf3856ad364e35_10.0.19041.1_none_a9ed911ec30c76c5\mtstocom.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-dpapi-keys_31bf3856ad364e35_10.0.19041.1_none_3e188ad1a12f1c4d\dpapimig.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-r..sistance-dcomserver_31bf3856ad364e35_10.0.19041.1110_none_af1474f55f209109\raserver.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-autofmt_31bf3856ad364e35_10.0.19041.1_none_9be54a615e8b9e53\autofmt.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-refsutil_31bf3856ad364e35_10.0.19041.1_none_a0a8212dcec26473\refsutil.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.19041.1110_none_ac2441dbb712f006\r\sdchange.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_bd2b0ef5b58e1540\r\wscript.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-cpl_31bf3856ad364e35_10.0.19041.1202_none_cc46843e404eb749\f\BitLockerWizard.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\f\PrintBrmUi.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.153_none_c8fbed52dad932cb\systemreset.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\f\UNPUXHost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.1_none_2305f6cf48d996c7\sethc.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-autochk_31bf3856ad364e35_10.0.19041.1266_none_56b9c0cf76f27918\autochk.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_43c494653a7536d0\r\wiaacmgr.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_multipoint-wmssvc_31bf3856ad364e35_10.0.19041.1_none_76b501b13155d66b\WmsSvc.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..crosoftedgedevtools_31bf3856ad364e35_10.0.19041.1_none_65a5646e8443d0f8\MicrosoftEdgeDevTools.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_87b019d7cebd66d4\appcmd.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\r\UNPUXLauncher.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-winlogon-tools_31bf3856ad364e35_10.0.19041.746_none_726cc4a1ebcb1c1e\wlrmdr.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-sctasks_31bf3856ad364e35_10.0.19041.906_none_72b8b02e4865ebca\r\schtasks.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-w..ommand-line-utility_31bf3856ad364e35_10.0.19041.1_none_61ef8d34a0953a91\WMIC.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_10.0.19041.746_none_dbe4ac1121d6e6d7\f\CertEnrollCtrl.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\r\AppVDllSurrogate.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_10.0.19041.1_none_63e4d70575e86068\unregmp2.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_b435e08254cda322\printui.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_netfx-ieexec_b03f5f7f11d50a3a_10.0.19041.1_none_6a5de40c0a30489e\IEExec.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_f827f008f8832bd5\f\rasautou.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ommandline-adamsync_31bf3856ad364e35_10.0.19041.1081_none_6700b2d2d3c0055f\f\adamsync.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_10.0.19041.1_none_4247919c34819e8e\pcaui.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-m..player-shellpreview_31bf3856ad364e35_10.0.19041.1_none_80e38b0746f5a926\wmprph.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_0565d41cd46ec20a\msinfo32.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\wkspbroker.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1_none_6331d348ae4a8fa9\poqexec.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux-dlg_31bf3856ad364e35_10.0.19041.1_none_544850fb795d0a4f\changepk.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dispdiag_31bf3856ad364e35_10.0.19041.1_none_fad576d8cf74b38a\dispdiag.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1_none_b6a6a2ae8b1ec7b0\vfpctrl.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.264_none_4de8bd849baaa96f\WerFaultSecure.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_40b989c5d3ea9316\r\EaseOfAccessDialog.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\f\SpeechModelDownload.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1081_none_5500d10e49b43346\r\ByteCodeGenerator.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-coresystem-wpr_31bf3856ad364e35_10.0.19041.207_none_4054ef70f69f6ff9\r\wpr.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1692