c49d1a79cc30af3de957e4e5f6ae249e074dd85d3200868e36f14d97144cebb7

General

Target

e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe
Size

355KB
MD5

e8d525d0a2bf8e47436238b52884d8b6
SHA1

db66207de2e31ba6e5fd7f1ffbc8f2b8ba8d3873
SHA256

c49d1a79cc30af3de957e4e5f6ae249e074dd85d3200868e36f14d97144cebb7
SHA512

cdaca2fc83af3ed9710f8d37397258d60c135d4e2a526a1565d2d06c65473f4c7091d5c6476339eef3137995fda6244f8499f8edf772548f1171e8dc8d81d659
SSDEEP

6144:L3EmWPDNND9yRPzLq+YXFqaZiMLic9kzVd7EAC4TSs9EiS:omWhND9yJz+b1FcMLmp2ATTSsdS

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2156	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2352	e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe
2352	e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ad6050b = "Ì%±ÿ€TÌ{îú\x04uQC¿Â»I*‚ñvöìÜ?SÜ}\f~E›a>"	e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ad6050b = "Ì%±ÿ€TÌ{îú\x04uQC¿Â»I*‚ñvöìÜ?SÜ}\f~E›a>"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2352	e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe
2352	e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe
2352	e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe
2352	e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2352	e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2156	2352	e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2156	2352	e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2156	2352	e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2156	2352	e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8d525d0a2bf8e47436238b52884d8b6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\540A.tmp

Filesize
22KB

MD5
c3821280523e004b9182ef661f264fb3

SHA1
dd0b45e5329b424e9b0c8249dc1e6c46d7fd4ae0

SHA256
02554c424327ef391a722b4e15121583382358ab9086c047e657a89298ad1d70

SHA512
c6f4432eb52e9ba2ba73b1ec25cadc5e3e584df64aea8b69c248053dd16756a8233ebeeb4521918d94babfe6ce71c6ed7b853d76d1d5076b12e937cf7aff1a31

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
355KB

MD5
6c00c717e767edad69fdf6b59b50e53c

SHA1
3a1980dfd3194748dbbda63f5ab3dab703744e48

SHA256
9153b3063de2d507235cf3616e686a8b607df3b36b8e5f846e3a0982a5159a8e

SHA512
742c31a941639f304b09c4f1419bd834d343c251515ec1eac7f9381dce62eaaee07d67c9e6061e32cdf088f9015cc45b01ba36f2c5dba7f13a574afabfbbf241

Download Submit
memory/2156-39-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-40-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-19-0x0000000000460000-0x0000000000508000-memory.dmp

Filesize
672KB

Download
memory/2156-21-0x0000000000460000-0x0000000000508000-memory.dmp

Filesize
672KB

Download
memory/2156-23-0x0000000000460000-0x0000000000508000-memory.dmp

Filesize
672KB

Download
memory/2156-24-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-27-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-29-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-31-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-32-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-42-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-34-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-35-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-36-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-37-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-38-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-17-0x0000000000460000-0x0000000000508000-memory.dmp

Filesize
672KB

Download
memory/2156-15-0x0000000000460000-0x0000000000508000-memory.dmp

Filesize
672KB

Download
memory/2156-33-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-41-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-44-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-43-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-46-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-45-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-47-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-48-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-49-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-50-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-51-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-57-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-13-0x0000000000460000-0x0000000000508000-memory.dmp

Filesize
672KB

Download
memory/2156-68-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-69-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download
memory/2156-56-0x00000000023A0000-0x0000000002456000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads