546b8ec7e53888efcb62641c0c314d43e263b4180e4ad539bd36bc3e7657c1bb

General

Target

03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
Size

799KB
MD5

03c0158479dc2353ce33cd0b1ae14ce4
SHA1

89702438246caa63aefdfd7b589c25bfe6e893c0
SHA256

546b8ec7e53888efcb62641c0c314d43e263b4180e4ad539bd36bc3e7657c1bb
SHA512

11ef2e0dec41fb698a169bacb844d8efbd8477301a6c71576b493cd1c1bd865e75137b76088e4523c85173701dba29210cd0493b3d6f3c240b4ed8518a5e377d
SSDEEP

24576:91bNWDNJ52BazRnbQSx4p+0/vzm0mTOwlqn7+LhS:9jW/5DxG3zOO57IS

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXE116.tmp	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXE136.tmp	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXE0E5.tmp	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\createdump.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXE0F6.tmp	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03c0158479dc2353ce33cd0b1ae14ce4_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2724

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\idlj.exe
Filesize
63KB

MD5
359e6074da556be5c9862a354b47dd73

SHA1
711e30c4b0a28ba21eb8ec2fe9a24d628bdd866d

SHA256
f42cea9eb4d625539e51248009d7d16c7563f807ab5e1b7bcb0359f1c405f5f2

SHA512
70a6da1a8c3c2a8e361b5f21bfd5b932db7653b46dc2f33fd02e8a18be48bd51a33d5c72eec548c9571e3f436392a9a4a055c5027c0fda0f9e3f49b81ca3ac3c

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe
Filesize
930KB

MD5
f530ffcd9184437329f0b900960664c0

SHA1
d7e8f34a0fcc0322d0b4334333dc689194819387

SHA256
a792faa258f07eb0c4c94ff3f65607fd047fa522c85bcd6fe967208e0116a393

SHA512
a6b8625d32fa57445edf4fced984b972280fa9cafd1e0eb07afbce080ce501947acf1eddaee5e9b645d239fc638526cc78984b9bd411ad8e8f7d341f130e1e9d

Download Submit
memory/2724-28-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2724-30-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2724-23-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2724-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2724-25-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2724-26-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2724-21-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2724-22-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2724-52-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2724-20-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2724-108-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2724-109-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2724-110-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2724-111-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads