c06acd7f6f4c44fc52d9f07b430079e12dc1b857c346818f0bd2064774d8df7b

General

Target

e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe
Size

336KB
MD5

e96a9dbcc089237f78ec8c2fb417cd43
SHA1

3bd4a49dc3efe6a3ad06e67a8dc4bae8a8a8b6c4
SHA256

c06acd7f6f4c44fc52d9f07b430079e12dc1b857c346818f0bd2064774d8df7b
SHA512

386fc40141d7a8e4295b1c00959eacb6414c3d450ec02bae6449bc3183dc5d9212098471d8023e2101ecba82595811273e98cd1a0128479511adac3a7936c1aa
SSDEEP

6144:208bRhsVZdfF8oVnzhstpwQvK+w8B0aRGJi4oAle0esKPUN4b8j7xyUg5JVcS:2B4V/fFbUpwTn8GJi4cxUN4b8jkUg5Jm

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\984f37b0\\X"	Explorer.EXE

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
340	csrss.exe
2528	X

Loads dropped DLL 2 IoCs

pid	Process
2964	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe
2964	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2964 set thread context of 2780	2964	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe	31

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{a4719278-fb0d-d8bd-58e3-12da99d6197a}	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{a4719278-fb0d-d8bd-58e3-12da99d6197a}\u = "134"	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{a4719278-fb0d-d8bd-58e3-12da99d6197a}\cid = "506647476789072308"	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2964	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe
2964	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe
2964	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe
2528	X

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe
Token: SeDebugPrivilege	2964	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
340	csrss.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 340	2964	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe	2
PID 2964 wrote to memory of 2528	2964	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2528	2964	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2528	2964	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2528	2964	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe	28
PID 2528 wrote to memory of 1244	2528	X	21
PID 340 wrote to memory of 2444	340	csrss.exe	29
PID 340 wrote to memory of 2444	340	csrss.exe	29
PID 340 wrote to memory of 2024	340	csrss.exe	30
PID 340 wrote to memory of 2024	340	csrss.exe	30
PID 2964 wrote to memory of 2780	2964	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe	31
PID 2964 wrote to memory of 2780	2964	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe	31
PID 2964 wrote to memory of 2780	2964	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe	31
PID 2964 wrote to memory of 2780	2964	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe	31
PID 2964 wrote to memory of 2780	2964	e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe	31

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
PID:1244
- C:\Users\Admin\AppData\Local\Temp\e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e96a9dbcc089237f78ec8c2fb417cd43_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\984f37b0\X
    193.105.154.210:80
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2780

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2444

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\984f37b0\@

Filesize
2KB

MD5
c1c5fcd5be99b4df8439cf92a97718c7

SHA1
85034c62d9a522eea27370114d18dc89fddf1f39

SHA256
eb420ece3b490af7a4f7fe4530a48fceb5b6eebcc1fe6509074b361bbfb073e5

SHA512
1b77fe8a874676a533e17526df911540f14579f464f8219d48387ad230ce06846abf1c6779f02b4cab07c080f951ed383ef572eb8482b54b5dc9ee6f470ed5fa

Download Submit
\Users\Admin\AppData\Local\984f37b0\X

Filesize
41KB

MD5
686b479b0ee164cf1744a8be359ebb7d

SHA1
8615e8f967276a85110b198d575982a958581a07

SHA256
fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b

SHA512
7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64

Download Submit
\Windows\System32\consrv.dll

Filesize
31KB

MD5
dafc4a53954b76c5db1d857e955f3805

SHA1
a18fa0d38c6656b4398953e77e87eec3b0209ef3

SHA256
c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b

SHA512
745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
fd048fbd2bd55c88f3000d86dc3ccd84

SHA1
25d9d3b83353c73f06d57c06e97273c2e58612b0

SHA256
202ee34054dbee3a6b3e8d350403c088d34eb26f9b5b620071c71f8dc13cca88

SHA512
28ec4dedc78f21af9c9ebae335cf1107da4bff5602b140bb7bd29f995042aac74edff42e9dc440eafe90c2187854b91cd04cb3afa02317d49ba7f170af612738

Download Submit
memory/340-19-0x0000000000A30000-0x0000000000A3C000-memory.dmp

Filesize
48KB

Download
memory/340-37-0x00000000022A0000-0x00000000023A0000-memory.dmp

Filesize
1024KB

Download
memory/340-18-0x0000000000A30000-0x0000000000A3C000-memory.dmp

Filesize
48KB

Download
memory/1244-39-0x0000000002990000-0x000000000299B000-memory.dmp

Filesize
44KB

Download
memory/1244-44-0x00000000029A0000-0x00000000029AB000-memory.dmp

Filesize
44KB

Download
memory/1244-51-0x00000000029A0000-0x00000000029AB000-memory.dmp

Filesize
44KB

Download
memory/1244-43-0x0000000002990000-0x000000000299B000-memory.dmp

Filesize
44KB

Download
memory/1244-35-0x0000000002980000-0x0000000002988000-memory.dmp

Filesize
32KB

Download
memory/1244-32-0x0000000002990000-0x000000000299B000-memory.dmp

Filesize
44KB

Download
memory/2964-20-0x0000000000400000-0x00000000004623D8-memory.dmp

Filesize
392KB

Download
memory/2964-30-0x0000000000400000-0x00000000004623D8-memory.dmp

Filesize
392KB

Download
memory/2964-22-0x00000000022A0000-0x00000000023A0000-memory.dmp

Filesize
1024KB

Download
memory/2964-21-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2964-6-0x0000000000700000-0x000000000072E000-memory.dmp

Filesize
184KB

Download
memory/2964-2-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2964-9-0x0000000000700000-0x000000000072E000-memory.dmp

Filesize
184KB

Download
memory/2964-15-0x0000000000700000-0x000000000072E000-memory.dmp

Filesize
184KB

Download
memory/2964-3-0x0000000000700000-0x000000000072E000-memory.dmp

Filesize
184KB

Download
memory/2964-49-0x0000000000400000-0x00000000004623D8-memory.dmp

Filesize
392KB

Download
memory/2964-50-0x0000000000700000-0x000000000072E000-memory.dmp

Filesize
184KB

Download
memory/2964-16-0x00000000022A0000-0x00000000023A0000-memory.dmp

Filesize
1024KB

Download
memory/2964-1-0x0000000000400000-0x00000000004623D8-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads