Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:27
Static task
static1
Behavioral task
behavioral1
Sample
b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe
-
Size
97KB
-
MD5
b98322e43d25ba7b38c3417dda1e16a4
-
SHA1
a393719aadb658cca5ad6d151802ad35350b0c67
-
SHA256
9b5efb363cb8516b3515051b3299689e23e34f1b2444fc2234233148a2f30e51
-
SHA512
311599e2885fe7e4ccb4bad5d0c4d6ee948cf14307c5885b64398fd861951d86581406545395845daa666984b6f5eb2dbe6fcde66e13202033970b46623efeec
-
SSDEEP
1536:5vOMoORizUPliPsm/gL16ZpQGh6MgHN+PhuLGR/11bvfMoOJ:ROxOMUMPsgQvTMY+PhGGR/117fxOJ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4251227.exe\"" qm4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6251222.exe" qm4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4251227.exe\"" b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6251222.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4251227.exe\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6251222.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4251227.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6251222.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6251222.exe" b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4251227.exe\"" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6251222.exe" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4251227.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6251222.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4251227.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4251227.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6251222.exe" lsass.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qm4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" m4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qm4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" m4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe -
Adds policy Run key to start application 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3948c = "\"C:\\Windows\\_default25122.pif\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3948c = "\"C:\\Windows\\_default25122.pif\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3948c = "\"C:\\Windows\\_default25122.pif\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3948c = "\"C:\\Windows\\_default25122.pif\"" m4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" m4623.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3948c = "\"C:\\Windows\\_default25122.pif\"" b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3948c = "\"C:\\Windows\\_default25122.pif\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3948c = "\"C:\\Windows\\_default25122.pif\"" qm4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3948c = "\"C:\\Windows\\_default25122.pif\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" qm4623.exe -
Disables RegEdit via registry modification 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qm4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" m4623.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts csrss.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation lsass.exe -
Executes dropped EXE 7 IoCs
pid Process 4476 smss.exe 3832 winlogon.exe 3472 services.exe 2488 csrss.exe 4900 lsass.exe 3496 qm4623.exe 2688 m4623.exe -
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3948c = "\"C:\\Windows\\j6251222.exe\"" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3948c = "\"C:\\Windows\\j6251222.exe\"" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3948c = "\"C:\\Windows\\j6251222.exe\"" b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3948c = "\"C:\\Windows\\j6251222.exe\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" qm4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3948c = "\"C:\\Windows\\j6251222.exe\"" m4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3948c = "\"C:\\Windows\\j6251222.exe\"" services.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3948c = "\"C:\\Windows\\j6251222.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3948c = "\"C:\\Windows\\j6251222.exe\"" qm4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" m4623.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\G: lsass.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\Q: lsass.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\V: lsass.exe File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\O: lsass.exe File opened (read-only) \??\U: lsass.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827 b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File created C:\Windows\SysWOW64\c_25122k.com b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin smss.exe File created C:\Windows\SysWOW64\s4827\domlist.txt cmd.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe lsass.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exe qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe csrss.exe File opened for modification C:\Windows\SysWOW64\c_25122k.com lsass.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe m4623.exe File opened for modification C:\Windows\SysWOW64\c_25122k.com smss.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe services.exe File opened for modification C:\Windows\SysWOW64\s4827 qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe m4623.exe File created C:\Windows\SysWOW64\s4827\smss.exe services.exe File created C:\Windows\SysWOW64\s4827\lsass.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\c_25122k.com qm4623.exe File created C:\Windows\SysWOW64\s4827\c.bron.tok.txt lsass.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\lsass.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File created C:\Windows\SysWOW64\s4827\m4623.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lsass.exe File created C:\Windows\SysWOW64\s4827\smss.exe b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\s4827\domlist.txt lsass.exe File opened for modification C:\Windows\SysWOW64\s4827 services.exe File opened for modification C:\Windows\SysWOW64\c_25122k.com csrss.exe File opened for modification C:\Windows\SysWOW64\c_25122k.com m4623.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\s4827\smss.exe qm4623.exe File created C:\Windows\SysWOW64\s4827\Spread.Mail.Bro\[email protected] services.exe File created C:\Windows\SysWOW64\s4827\services.exe winlogon.exe File created C:\Windows\SysWOW64\s4827\csrss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll services.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe services.exe File opened for modification C:\Windows\SysWOW64\c_25122k.com services.exe File opened for modification C:\Windows\SysWOW64\s4827 lsass.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe qm4623.exe File created C:\Windows\SysWOW64\s4827\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\c_25122k.com winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\services.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827 smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\csrss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827 m4623.exe File opened for modification C:\Windows\SysWOW64\c_25122k.com b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exe b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File created C:\Windows\SysWOW64\s4827\smss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe smss.exe File opened for modification C:\Windows\SysWOW64\s4827 winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe qm4623.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll m4623.exe File opened for modification C:\Windows\SysWOW64\s4827 csrss.exe File created C:\Windows\SysWOW64\s4827\smss.exe csrss.exe File created C:\Windows\SysWOW64\s4827\smss.exe lsass.exe File created C:\Windows\SysWOW64\s4827\winlogon.exe smss.exe -
Drops file in Windows directory 31 IoCs
description ioc Process File opened for modification C:\Windows\o4251227.exe b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\Ad10218\qm4623.exe winlogon.exe File opened for modification C:\Windows\o4251227.exe services.exe File opened for modification C:\Windows\_default25122.pif smss.exe File opened for modification C:\Windows\j6251222.exe winlogon.exe File opened for modification C:\Windows\Ad10218 winlogon.exe File opened for modification C:\Windows\_default25122.pif qm4623.exe File created C:\Windows\j6251222.exe b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\j6251222.exe smss.exe File opened for modification C:\Windows\_default25122.pif winlogon.exe File opened for modification C:\Windows\j6251222.exe qm4623.exe File opened for modification C:\Windows\o4251227.exe lsass.exe File opened for modification C:\Windows\o4251227.exe qm4623.exe File opened for modification C:\Windows\_default25122.pif b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\o4251227.exe smss.exe File opened for modification C:\Windows\j6251222.exe csrss.exe File opened for modification C:\Windows\_default25122.pif lsass.exe File opened for modification C:\Windows\o4251227.exe winlogon.exe File opened for modification C:\Windows\_default25122.pif services.exe File opened for modification C:\Windows\o4251227.exe m4623.exe File created C:\Windows\o4251227.exe b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\j6251222.exe lsass.exe File created C:\Windows\Ad10218\qm4623.exe winlogon.exe File created C:\Windows\j6251222.exe qm4623.exe File opened for modification C:\Windows\_default25122.pif m4623.exe File created C:\Windows\_default25122.pif b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\j6251222.exe services.exe File opened for modification C:\Windows\_default25122.pif csrss.exe File opened for modification C:\Windows\j6251222.exe m4623.exe File opened for modification C:\Windows\j6251222.exe b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\o4251227.exe csrss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 2960 net.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe 3832 winlogon.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4920 wrote to memory of 4476 4920 b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe 91 PID 4920 wrote to memory of 4476 4920 b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe 91 PID 4920 wrote to memory of 4476 4920 b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe 91 PID 4476 wrote to memory of 3832 4476 smss.exe 95 PID 4476 wrote to memory of 3832 4476 smss.exe 95 PID 4476 wrote to memory of 3832 4476 smss.exe 95 PID 3832 wrote to memory of 3472 3832 winlogon.exe 99 PID 3832 wrote to memory of 3472 3832 winlogon.exe 99 PID 3832 wrote to memory of 3472 3832 winlogon.exe 99 PID 3832 wrote to memory of 2488 3832 winlogon.exe 101 PID 3832 wrote to memory of 2488 3832 winlogon.exe 101 PID 3832 wrote to memory of 2488 3832 winlogon.exe 101 PID 3832 wrote to memory of 4900 3832 winlogon.exe 103 PID 3832 wrote to memory of 4900 3832 winlogon.exe 103 PID 3832 wrote to memory of 4900 3832 winlogon.exe 103 PID 3832 wrote to memory of 3496 3832 winlogon.exe 105 PID 3832 wrote to memory of 3496 3832 winlogon.exe 105 PID 3832 wrote to memory of 3496 3832 winlogon.exe 105 PID 3832 wrote to memory of 2688 3832 winlogon.exe 107 PID 3832 wrote to memory of 2688 3832 winlogon.exe 107 PID 3832 wrote to memory of 2688 3832 winlogon.exe 107 PID 3832 wrote to memory of 928 3832 winlogon.exe 109 PID 3832 wrote to memory of 928 3832 winlogon.exe 109 PID 3832 wrote to memory of 928 3832 winlogon.exe 109 PID 3832 wrote to memory of 392 3832 winlogon.exe 112 PID 3832 wrote to memory of 392 3832 winlogon.exe 112 PID 3832 wrote to memory of 392 3832 winlogon.exe 112 PID 3832 wrote to memory of 5064 3832 winlogon.exe 114 PID 3832 wrote to memory of 5064 3832 winlogon.exe 114 PID 3832 wrote to memory of 5064 3832 winlogon.exe 114 PID 4900 wrote to memory of 4036 4900 lsass.exe 119 PID 4900 wrote to memory of 4036 4900 lsass.exe 119 PID 4900 wrote to memory of 4036 4900 lsass.exe 119 PID 4036 wrote to memory of 2960 4036 cmd.exe 121 PID 4036 wrote to memory of 2960 4036 cmd.exe 121 PID 4036 wrote to memory of 2960 4036 cmd.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\s4827\smss.exe"C:\Windows\system32\s4827\smss.exe" ~Brontok~Log~2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\s4827\winlogon.exe"C:\Windows\system32\s4827\winlogon.exe" ~Brontok~Is~The~Best~3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\s4827\services.exe"C:\Windows\system32\s4827\services.exe" ~Brontok~Serv~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:3472
-
-
C:\Windows\SysWOW64\s4827\csrss.exe"C:\Windows\system32\s4827\csrss.exe" ~Brontok~SpreadMail~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:2488
-
-
C:\Windows\SysWOW64\s4827\lsass.exe"C:\Windows\system32\s4827\lsass.exe" ~Brontok~Network~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net view /domain > "C:\Windows\system32\s4827\domlist.txt"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\net.exenet view /domain6⤵
- Discovers systems in the same network
PID:2960
-
-
-
-
C:\Windows\Ad10218\qm4623.exe"C:\Windows\Ad10218\qm4623.exe" ~Brontok~Back~Log~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:3496
-
-
C:\Windows\SysWOW64\s4827\m4623.exe"C:\Windows\system32\s4827\m4623.exe" ~Brontok~Back~Log~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:2688
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" /delete /y4⤵PID:928
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"4⤵PID:392
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" 11:03 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"4⤵PID:5064
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5d7c9c847bb18e1d8d660a8d7131a0bd4
SHA1e71a019cd991b55a0d2dbe28fd6849ad3fb5652f
SHA2560bec29a05754b63ec110080bf220584759ffbf0aa73afb702babed788329d855
SHA51245d44a5fdb76e3106f6f7d0f87cff33c4c989e06e6ac1d15b48d864710b8c81cc77e1e0737c33fca3ffeba45b5727e1f0d73a4a14995fa74c7d117bc7d23b4d7
-
Filesize
97KB
MD5b98322e43d25ba7b38c3417dda1e16a4
SHA1a393719aadb658cca5ad6d151802ad35350b0c67
SHA2569b5efb363cb8516b3515051b3299689e23e34f1b2444fc2234233148a2f30e51
SHA512311599e2885fe7e4ccb4bad5d0c4d6ee948cf14307c5885b64398fd861951d86581406545395845daa666984b6f5eb2dbe6fcde66e13202033970b46623efeec
-
Filesize
97KB
MD5b3c64b09b9545db87fb18d1c61eea5e4
SHA1304279ac23e6fbc57ddf944b0bc7d5411cbe5b43
SHA256e53ba6b4b3653c15b1215d9861b8cbd23cb6abc9f1e2aa8d5439fb8686f1799d
SHA512bef8d808dd4c37038b3f3228c6b9d165702e439b43106ba0d5406015eaaa46400c80e4bd6d3ac6a13eb67efd79576ac3da9ffed04cdc6e41f0f589c6dd1f4c4b
-
Filesize
97KB
MD587e74a75a08c6314c15653161ae3fe37
SHA13c8be278b74c15d3c2770ab89ba98aff1aaf2130
SHA2564ab2da8beaf54f5e68844d2450973b4f98a7110ad732a45e13c55aa18eb0c634
SHA512ea287553c6eb2b5c7f4b0e2105cff3f3d7a2a43ae8799f91e883f556579e5e1cc1b03eadf1f9a4e7388d5cce0a2874a2b6835be9137e2633457452cbf83b648c
-
Filesize
97KB
MD543683a4440b56ea4d970c69f58b3fc6f
SHA121ae77d2ec00138f45cfe1282d1147f3a213c988
SHA256d69550dff7298724248f01164066b715ab8117346b43d78294d102039f41a1da
SHA512a06adc52c0e0d3cbedafe1368f4790365f890b117481d0d3b328d29cc0b60a796b4c0a42b562a071ed27e916b62623cef2863910f7ced1ef42b91b159e744ef3