58e19d3ea468ed30dbf7d2b84186a3276eb8263b701f67d7255435f9fa0edc68

General

Target

eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe
Size

45KB
MD5

eabf439a5bc49eec0ca32278e7673311
SHA1

312a1c4e37a96f4507f8b3075784e957b7155755
SHA256

58e19d3ea468ed30dbf7d2b84186a3276eb8263b701f67d7255435f9fa0edc68
SHA512

b82223462f7d034245330bbbf6ce701da5fdd8040abd94e31aa27f4bd296454a565fb6b2ddebe28ed2d7d33a11f9d2dadd813bdbd2e4a71a022644260f313f6b
SSDEEP

768:PTAm5hiTllzeF/AJOTmbWa8RYdiU3/7Shy5nv9/tw/xmcQM/:PLIcNTcWATPuhI9a/x4w

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows/system32/SVCH0ST.EXE"	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe

Disables Task Manager via registry modification
evasion

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Agent = "C:\\Windows\\System32\\SVCH0ST.EXE"	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SVCH0ST.EXE	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SVCH0ST.EXE	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\wincirl.com	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe
File opened for modification	C:\Windows\system\wincirl.com	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2824	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe
2824	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe
2824	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe
2824	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe
2824	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe
2824	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe
2824	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe
2824	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe
2824	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe
2824	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2824	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe
2824	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 1384	2824	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe	28
PID 2824 wrote to memory of 1384	2824	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe	28
PID 2824 wrote to memory of 1384	2824	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe	28
PID 2824 wrote to memory of 1384	2824	eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eabf439a5bc49eec0ca32278e7673311_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\Explorer.exe
  C:\Windows\Explorer.exe
  2⤵
  PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Common Office Components.pif

Filesize
39KB

MD5
4633f7b2441bf9e549d6c45592699aa6

SHA1
bfb27c67a68d053d71367e1273cee9e6f1ffdc86

SHA256
3da57e2d25987e296eb19b0da856ce99d0626068480868ef5d8bfa2a10603d55

SHA512
aa43be5e23bfda852749f5e005f0768caf346492e67c57a4473ac381dac457bc244304f06112d10955cce48dbb854bbbfdc5e6dbcfba1863c0932ff929a8d042

Download Submit
memory/2824-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2824-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2824-27-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2824-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2824-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads