Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 19:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe
-
Size
53KB
-
MD5
e846b5080f578165bffbcb07655c32d8
-
SHA1
08246ce534e4f4d76863bdb84d547aa8c83dd3be
-
SHA256
986c48a0ef9126decb77b041e0eed10fe508147e1c16737502f5dea958870409
-
SHA512
755a5cbf3535ef3f88d88b339db9f805cd4b463389d8d16300222dbb63679bbc23fd315b6ba641f80849cd3b45db7693bca7ca48f822846fc5b5544654817f98
-
SSDEEP
1536:5m9nw/hT31GCSI6WB3IMeCn7EI50rO9nw/hT31Gl:P5T3BF6sYMF725T3m
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4294427.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6294422.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4294427.exe\"" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6294422.exe" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4294427.exe\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6294422.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6294422.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4294427.exe\"" qm4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6294422.exe" qm4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4294427.exe\"" e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6294422.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4294427.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6294422.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6294422.exe" e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4294427.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4294427.exe\"" lsass.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qm4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" m4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qm4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" m4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe -
Adds policy Run key to start application 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4668c = "\"C:\\Windows\\_default29442.pif\"" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" lsass.exe Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4668c = "\"C:\\Windows\\_default29442.pif\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" qm4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4668c = "\"C:\\Windows\\_default29442.pif\"" e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4668c = "\"C:\\Windows\\_default29442.pif\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4668c = "\"C:\\Windows\\_default29442.pif\"" qm4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4668c = "\"C:\\Windows\\_default29442.pif\"" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4668c = "\"C:\\Windows\\_default29442.pif\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4668c = "\"C:\\Windows\\_default29442.pif\"" lsass.exe -
Disables RegEdit via registry modification 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qm4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" m4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts csrss.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe -
Executes dropped EXE 7 IoCs
pid Process 3232 smss.exe 804 winlogon.exe 1056 services.exe 3000 csrss.exe 4056 lsass.exe 1496 qm4623.exe 3556 m4623.exe -
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4668c = "\"C:\\Windows\\j6294422.exe\"" e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" services.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" m4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4668c = "\"C:\\Windows\\j6294422.exe\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4668c = "\"C:\\Windows\\j6294422.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" qm4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4668c = "\"C:\\Windows\\j6294422.exe\"" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4668c = "\"C:\\Windows\\j6294422.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4668c = "\"C:\\Windows\\j6294422.exe\"" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4668c = "\"C:\\Windows\\j6294422.exe\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4668c = "\"C:\\Windows\\j6294422.exe\"" qm4623.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\G: lsass.exe File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\Q: lsass.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\O: lsass.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\V: lsass.exe File opened (read-only) \??\X: lsass.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll services.exe File opened for modification C:\Windows\SysWOW64\s4827 m4623.exe File created C:\Windows\SysWOW64\s4827\smss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\c_29442k.com e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe File created C:\Windows\SysWOW64\s4827\services.exe winlogon.exe File created C:\Windows\SysWOW64\s4827\csrss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\c_29442k.com m4623.exe File opened for modification C:\Windows\SysWOW64\c_29442k.com winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe csrss.exe File created C:\Windows\SysWOW64\s4827\smss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\c_29442k.com lsass.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe winlogon.exe File created C:\Windows\SysWOW64\s4827\smss.exe services.exe File opened for modification C:\Windows\SysWOW64\s4827\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\s4827\lsass.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\c_29442k.com csrss.exe File created C:\Windows\SysWOW64\s4827\smss.exe qm4623.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exe e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\c_29442k.com smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\s4827 qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe csrss.exe File opened for modification C:\Windows\SysWOW64\s4827 winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\lsass.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827 services.exe File created C:\Windows\SysWOW64\s4827\m4623.exe winlogon.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin smss.exe File created C:\Windows\SysWOW64\s4827\winlogon.exe smss.exe File opened for modification C:\Windows\SysWOW64\s4827\csrss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe m4623.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe lsass.exe File opened for modification C:\Windows\SysWOW64\c_29442k.com qm4623.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exe lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll m4623.exe File opened for modification C:\Windows\SysWOW64\s4827 smss.exe File created C:\Windows\SysWOW64\s4827\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\s4827 lsass.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe services.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe m4623.exe File created C:\Windows\SysWOW64\s4827\smss.exe e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\s4827\services.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\c_29442k.com services.exe File created C:\Windows\SysWOW64\s4827\smss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827 csrss.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe qm4623.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\s4827\domlist.txt lsass.exe File created C:\Windows\SysWOW64\s4827\Spread.Mail.Bro\[email protected] services.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll winlogon.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exe qm4623.exe File created C:\Windows\SysWOW64\s4827\domlist.txt cmd.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827 e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin smss.exe File created C:\Windows\SysWOW64\c_29442k.com e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe smss.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe smss.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\_default29442.pif m4623.exe File opened for modification C:\Windows\j6294422.exe e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe File opened for modification C:\Windows\j6294422.exe services.exe File opened for modification C:\Windows\j6294422.exe qm4623.exe File opened for modification C:\Windows\o4294427.exe csrss.exe File opened for modification C:\Windows\j6294422.exe lsass.exe File created C:\Windows\j6294422.exe lsass.exe File opened for modification C:\Windows\_default29442.pif lsass.exe File created C:\Windows\j6294422.exe e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe File opened for modification C:\Windows\_default29442.pif winlogon.exe File opened for modification C:\Windows\Ad10218 winlogon.exe File opened for modification C:\Windows\Ad10218\qm4623.exe winlogon.exe File opened for modification C:\Windows\o4294427.exe e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe File opened for modification C:\Windows\_default29442.pif services.exe File opened for modification C:\Windows\o4294427.exe lsass.exe File opened for modification C:\Windows\_default29442.pif qm4623.exe File opened for modification C:\Windows\j6294422.exe winlogon.exe File opened for modification C:\Windows\j6294422.exe csrss.exe File opened for modification C:\Windows\o4294427.exe smss.exe File created C:\Windows\Ad10218\qm4623.exe winlogon.exe File opened for modification C:\Windows\j6294422.exe m4623.exe File created C:\Windows\_default29442.pif qm4623.exe File opened for modification C:\Windows\o4294427.exe qm4623.exe File created C:\Windows\o4294427.exe e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe File opened for modification C:\Windows\_default29442.pif e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe File opened for modification C:\Windows\_default29442.pif smss.exe File opened for modification C:\Windows\_default29442.pif csrss.exe File opened for modification C:\Windows\o4294427.exe m4623.exe File created C:\Windows\_default29442.pif e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe File opened for modification C:\Windows\j6294422.exe smss.exe File opened for modification C:\Windows\o4294427.exe winlogon.exe File opened for modification C:\Windows\o4294427.exe services.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 1756 net.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe 804 winlogon.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4972 wrote to memory of 3232 4972 e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe 89 PID 4972 wrote to memory of 3232 4972 e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe 89 PID 4972 wrote to memory of 3232 4972 e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe 89 PID 3232 wrote to memory of 804 3232 smss.exe 91 PID 3232 wrote to memory of 804 3232 smss.exe 91 PID 3232 wrote to memory of 804 3232 smss.exe 91 PID 804 wrote to memory of 1056 804 winlogon.exe 95 PID 804 wrote to memory of 1056 804 winlogon.exe 95 PID 804 wrote to memory of 1056 804 winlogon.exe 95 PID 804 wrote to memory of 3000 804 winlogon.exe 99 PID 804 wrote to memory of 3000 804 winlogon.exe 99 PID 804 wrote to memory of 3000 804 winlogon.exe 99 PID 804 wrote to memory of 4056 804 winlogon.exe 101 PID 804 wrote to memory of 4056 804 winlogon.exe 101 PID 804 wrote to memory of 4056 804 winlogon.exe 101 PID 804 wrote to memory of 1496 804 winlogon.exe 103 PID 804 wrote to memory of 1496 804 winlogon.exe 103 PID 804 wrote to memory of 1496 804 winlogon.exe 103 PID 804 wrote to memory of 3556 804 winlogon.exe 105 PID 804 wrote to memory of 3556 804 winlogon.exe 105 PID 804 wrote to memory of 3556 804 winlogon.exe 105 PID 804 wrote to memory of 4872 804 winlogon.exe 107 PID 804 wrote to memory of 4872 804 winlogon.exe 107 PID 804 wrote to memory of 4872 804 winlogon.exe 107 PID 804 wrote to memory of 4616 804 winlogon.exe 110 PID 804 wrote to memory of 4616 804 winlogon.exe 110 PID 804 wrote to memory of 4616 804 winlogon.exe 110 PID 804 wrote to memory of 116 804 winlogon.exe 112 PID 804 wrote to memory of 116 804 winlogon.exe 112 PID 804 wrote to memory of 116 804 winlogon.exe 112 PID 4056 wrote to memory of 5024 4056 lsass.exe 117 PID 4056 wrote to memory of 5024 4056 lsass.exe 117 PID 4056 wrote to memory of 5024 4056 lsass.exe 117 PID 5024 wrote to memory of 1756 5024 cmd.exe 119 PID 5024 wrote to memory of 1756 5024 cmd.exe 119 PID 5024 wrote to memory of 1756 5024 cmd.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e846b5080f578165bffbcb07655c32d8_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\s4827\smss.exe"C:\Windows\system32\s4827\smss.exe" ~Brontok~Log~2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\s4827\winlogon.exe"C:\Windows\system32\s4827\winlogon.exe" ~Brontok~Is~The~Best~3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\s4827\services.exe"C:\Windows\system32\s4827\services.exe" ~Brontok~Serv~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:1056
-
-
C:\Windows\SysWOW64\s4827\csrss.exe"C:\Windows\system32\s4827\csrss.exe" ~Brontok~SpreadMail~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:3000
-
-
C:\Windows\SysWOW64\s4827\lsass.exe"C:\Windows\system32\s4827\lsass.exe" ~Brontok~Network~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net view /domain > "C:\Windows\system32\s4827\domlist.txt"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\net.exenet view /domain6⤵
- Discovers systems in the same network
PID:1756
-
-
-
-
C:\Windows\Ad10218\qm4623.exe"C:\Windows\Ad10218\qm4623.exe" ~Brontok~Back~Log~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:1496
-
-
C:\Windows\SysWOW64\s4827\m4623.exe"C:\Windows\system32\s4827\m4623.exe" ~Brontok~Back~Log~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:3556
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" /delete /y4⤵PID:4872
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"4⤵PID:4616
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" 11:03 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"4⤵PID:116
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5bae4698810dfc40c129c6f07f6e4ca15
SHA1876d3e9af3ad9921a35e39e618163c5e750aedda
SHA256b612d9dba0eb0cf786b2edee063435f8e9a287a5718b0b9cf0c42ade327012ff
SHA512f68e069ea51b6d90c81687f5d8ea34729c93c59eb45b13bec06518606825621d356d1a338cc22ae0377626bf17e0a6eb07f188eb220c47ef43110770c9eb10e3
-
Filesize
53KB
MD5e846b5080f578165bffbcb07655c32d8
SHA108246ce534e4f4d76863bdb84d547aa8c83dd3be
SHA256986c48a0ef9126decb77b041e0eed10fe508147e1c16737502f5dea958870409
SHA512755a5cbf3535ef3f88d88b339db9f805cd4b463389d8d16300222dbb63679bbc23fd315b6ba641f80849cd3b45db7693bca7ca48f822846fc5b5544654817f98
-
Filesize
53KB
MD55288347466856f203ba44459d6704519
SHA175e7e3d08c1945fbc18e724d8c25432682a25c62
SHA256218ed096cb81465d853f9e631183cb28958461e5d070544c9805796738226134
SHA512c123045851ed6b6210622635edcc90439c4e6dfde733159d3228d1a6626466cb8c91f3aa331182ad3630233ae95d876539c5e88c17920e70a85aa61e5324ae58
-
Filesize
53KB
MD5c5d6aef90597415d8d7be8ff48879155
SHA14ba74b5cc149e7e11d0fde893dbec8efe0a812af
SHA256e6cc0de8404bd4bed4f3233022b57b3cbddaa63f986fd3713430739e67c3b06d
SHA51292a9398392af7fcac47044275c0dc450a4043e32e735de45afbcc8c6fa13f0b6ecbc0ad1ad4fe3641a92405cb2d4d9f9f36c5451cb17adfe41f2e075c0641caa
-
Filesize
53KB
MD5f101feb45c43d65a2c55c257836c6190
SHA105563df9440f5c59ccc0510b47b739f6900167d2
SHA25645d9571ca5ef5669790e38d05a54fb6fb29adfbd8f92149e20291600cf65f439
SHA512fb01ee0ec25c045cf5b9d89f673154225d012f6f57a05c1decbf9236d838b76b0c6d422a13e3c5a500a00f01efadc784f521feee309cecf607bbc91ed4a5e609