Analysis
-
max time kernel
140s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 18:39
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe
Resource
win10v2004-20250502-en
General
-
Target
JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe
-
Size
771KB
-
MD5
1c7c823802cafdb7b2af675db978ec20
-
SHA1
ea1a3e01b3c8f2b0de588ec88d2a42e046b8eb1b
-
SHA256
4042d48fbecf63ed94a827b3737349bcc64bd335dff2771cdc80d44a19779f45
-
SHA512
eadab0a37d572d00099e4ddd629dec2922422a215476cc4b9c9e095893fd2c333a5478ae849580797d739f2e6e263e1cce184714d1962d05e396d37a862495d2
-
SSDEEP
12288:Z72mvyw+oxOml8bo2vNp0GUX8Jme6Zgj7X24QnbFrXwIG4fEYzj7qT+dLF+1:Z72Pw+oxyvdYZtRAIDfndM
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ARP.EXE JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\GameBarPresenceWriter.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\msiexec.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\PhotoScreensaver.scr JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\wevtutil.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\cscript.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\cttunesvr.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\mobsync.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\nslookup.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\tasklist.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\TSTheme.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\cleanmgr.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\CredentialUIBroker.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\icacls.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\mfpmp.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\SearchFilterHost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\setup16.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\expand.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\getmac.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\icsunattend.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesProtection.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\TpmTool.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\grpconv.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\agentactivationruntimestarter.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\EhStorAuthn.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\bitsadmin.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\isoburn.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\mcbuilder.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\rasphone.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\RMActivate_ssp_isv.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\scrnsave.scr JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\InputSwitchToastHandler.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\InstallShield\_isdel.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\PkgMgr.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\setupugc.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\dvdplay.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\imecfmui.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\logman.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\notepad.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\setx.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\wowreg32.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\RMActivate_ssp.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\cliconfg.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\at.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\msfeedssync.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\odbcconf.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\rrinstaller.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\RunLegacyCPLElevated.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\sdchange.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\BackgroundTransferHost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\dpapimig.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\typeperf.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\PATHPING.EXE JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\srdelayed.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\takeown.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\wlanext.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\perfmon.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\prevhost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\proquota.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\relog.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\write.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SysWOW64\dccw.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Installer\setup.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge_proxy.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_proxy.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateOnDemand.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\HxAccounts.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_helper.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdate.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\notification_helper.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\WinStore.App.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\BHO\ie_to_edge_stub.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\Install\{3153363F-C347-4BF6-B57E-CBE5F36972BA}\MicrosoftEdge_X64_133.0.3065.69.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\MicrosoftEdgeUpdate.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Windows Media Player\wmpshare.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\PAD.Console.Host.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\pwahelper.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\pwahelper.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\cookie_exporter.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\PeopleApp.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\Windows Mail\wab.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Todo.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\createdump.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.22000.376_none_d180c9ec46d962eb\r\spoolsv.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.22000.1_none_d0ba8259b7939cb1\NetCfgNotifyObjectHost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_10.0.22000.120_none_fad0aab9b7fd2208\f\RMActivate_ssp_isv.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-restartmanager_31bf3856ad364e35_10.0.22000.1_none_d679057128e7af90\RmClient.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..up-deviceencryption_31bf3856ad364e35_10.0.22000.1_none_30a652d7a8697eb8\BitLockerDeviceEncryption.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-atbroker_31bf3856ad364e35_10.0.22000.1_none_3038f7c9577f0d5f\AtBroker.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.22000.282_none_03b4c900a639c980\TpmTool.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-certificaterequesttool_31bf3856ad364e35_10.0.22000.434_none_6dc3a5a2d0fafee9\f\certreq.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.22000.37_none_7461fc8593f740b9\ApproveChildRequest.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.22000.120_none_32bd480a87134e0f\sdchange.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.22000.282_none_75821ac4f6866a77\r\WerFault.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-r..sistance-dcomserver_31bf3856ad364e35_10.0.22000.71_none_1c87d1fdc5c5037f\f\raserver.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\winhlp32.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_10.0.22000.65_none_64161fe87cb55cea\pcaui.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.22000.65_none_90fb210207715818\LaunchTM.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.22000.348_none_1cb0f82bf1aef3cc\lpksetup.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SecureAssessmentBrowser.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.22000.318_none_2bc95a47eaa37094\f\hvix64.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_10.0.22000.1_none_04376727db53ed5d\setup_wm.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.22000.282_none_a808d085c7f06d67\f\nfsclnt.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.22000.282_none_4902a165a673e741\f\mstsc.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_10.0.22000.469_none_8c502cfed26c810b\f\TrustedInstaller.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.22000.348_none_790557e9d75b5a9c\f\SpeechModelDownload.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.22000.282_none_31bc5b70e4490cff\r\vmms.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.22000.376_none_c7a79de54d7799ec\r\AppVDllSurrogate.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.22000.282_none_555ad0e288836a51\f\SearchFilterHost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-control_31bf3856ad364e35_10.0.22000.318_none_9f38aa7663fcbf45\f\control.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_10.0.22000.120_none_0f0554e930e1de1c\RMActivate_ssp.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..te-musnotifyiconexe_31bf3856ad364e35_10.0.22000.282_none_345ca27cf9ce36c0\f\MusNotifyIcon.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appx-deployment-server_31bf3856ad364e35_10.0.22000.493_none_5c6bd6283c0b8362\CustomInstallExec.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-robocopy_31bf3856ad364e35_10.0.22000.469_none_c24a28fb71aa07c9\r\Robocopy.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.22000.318_none_9b6af6ae8c0ac6cb\dtdump.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-ldifde_31bf3856ad364e35_10.0.22000.1_none_1b0c42e6553e1df4\ldifde.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appx-deployment-server_31bf3856ad364e35_10.0.22000.318_none_5cc755143bc62566\ApplyTrustOffline.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-icacls_31bf3856ad364e35_10.0.22000.1_none_88f83cb6aac344cb\icacls.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..-upprinterinstaller_31bf3856ad364e35_10.0.22000.1_none_094f49d32c4abf9f\UPPrinterInstaller.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\TextInputHost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4-servicemodelreg_exe_b03f5f7f11d50a3a_4.0.15806.0_none_cd062650b14ec503\ServiceModelReg.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-acluifilefoldercomtool_31bf3856ad364e35_10.0.22000.1_none_ae92c24e0a04e0bb\cacls.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_netfx35linq-datasvcutil_31bf3856ad364e35_10.0.22000.1_none_e59a7bd2a1bf4e0f\DataSvcUtil.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.22000.1_none_12ea1a72b4886bec\ssh-agent.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.22000.318_none_569ec118f1c50925\f\winload.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_netfx-aspnet_regiis_exe_b03f5f7f11d50a3a_10.0.22000.1_none_6744583bcc1cfbb4\aspnet_regiis.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_networking-mpssvc-netsh_31bf3856ad364e35_10.0.22000.434_none_b4a3a74a80427a96\CheckNetIsolation.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-twinui_31bf3856ad364e35_10.0.22000.493_none_6ec3ffab3ec4b07b\f\LaunchWinApp.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.22000.100_none_b998a9a728d6401f\f\Narrator.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-refsutil_31bf3856ad364e35_10.0.22000.434_none_e6157b76b496d682\refsutil.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-webauth_31bf3856ad364e35_10.0.22000.1_none_81e69386fbb62c17\AuthHost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.22000.1_none_033e889c5d44f379\UNPUXHost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..ter-cimprovider-exe_31bf3856ad364e35_10.0.22000.1_none_b98d3baff0bf243b\Register-CimProvider.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-r..eak-diagnostic-core_31bf3856ad364e35_10.0.22000.1_none_bba9eafbb68c1dfb\rdrleakdiag.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\wow64_windowssearchengine_31bf3856ad364e35_7.0.22000.348_none_5f6e7d4cbd14f8f7\f\SearchProtocolHost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.22000.65_none_5df9e0d1a9b3658b\f\Spectrum.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_caspol_b03f5f7f11d50a3a_10.0.22000.1_none_c0f347d59a01d496\CasPol.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.22000.318_none_f32072a930d121b3\vmcompute.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.22000.318_none_2bc95a47eaa37094\hvax64.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..mnotificationbroker_31bf3856ad364e35_10.0.22000.1_none_1df835c1eb7ab0fb\DmNotificationBroker.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.22000.1_none_c55e2b2174c8cee3\notepad.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_10.0.22000.1_none_ff7542ad94a3dbc5\TRACERT.EXE JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iis-adminservice_31bf3856ad364e35_10.0.22000.1_none_b0ab87cdfc85e48e\WMSvc.exe JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7c823802cafdb7b2af675db978ec20.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1052