13acb2a0cfc213abdbb8f42ae25b2def0c11116aead93ac2cb75b2d965cbb682

General

Target

eaf0b16d7b5fa059bf4bc3338aa45d85_JaffaCakes118.exe
Size

239KB
MD5

eaf0b16d7b5fa059bf4bc3338aa45d85
SHA1

1e98641e0f98d7e47a72461df9a90bc3755cb5ee
SHA256

13acb2a0cfc213abdbb8f42ae25b2def0c11116aead93ac2cb75b2d965cbb682
SHA512

6092fd178b0ca7d57889e31a432036b4b47619ab2f7d1c701dc68d7551aaa47f17e94314650640749971247ad913593179647e7a28e134fb653b98d68748312b
SSDEEP

3072:R410tNnOvYL/XcPBsLBkIcyYpZ0OFGkw+ALtjHyN3yeW8Wf8NFldNnD7SXlDfRVW:u2nGQ/WeJcyCZzFXsqo8DSX9fRb

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\d253e49c\\X"	Explorer.EXE

Deletes itself 1 IoCs

pid	Process
2168	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
2160	X
336	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
1784	eaf0b16d7b5fa059bf4bc3338aa45d85_JaffaCakes118.exe
1784	eaf0b16d7b5fa059bf4bc3338aa45d85_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1784 set thread context of 2168	1784	eaf0b16d7b5fa059bf4bc3338aa45d85_JaffaCakes118.exe	28

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{3a7e3810-6a21-c5f7-6815-5df73c235f92}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3a7e3810-6a21-c5f7-6815-5df73c235f92}\u = "40"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3a7e3810-6a21-c5f7-6815-5df73c235f92}\cid = "6029841039944191016"	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2160	X
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	explorer.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 2168	1784	eaf0b16d7b5fa059bf4bc3338aa45d85_JaffaCakes118.exe	28
PID 1784 wrote to memory of 2168	1784	eaf0b16d7b5fa059bf4bc3338aa45d85_JaffaCakes118.exe	28
PID 1784 wrote to memory of 2168	1784	eaf0b16d7b5fa059bf4bc3338aa45d85_JaffaCakes118.exe	28
PID 1784 wrote to memory of 2168	1784	eaf0b16d7b5fa059bf4bc3338aa45d85_JaffaCakes118.exe	28
PID 1784 wrote to memory of 2168	1784	eaf0b16d7b5fa059bf4bc3338aa45d85_JaffaCakes118.exe	28
PID 1784 wrote to memory of 2160	1784	eaf0b16d7b5fa059bf4bc3338aa45d85_JaffaCakes118.exe	29
PID 1784 wrote to memory of 2160	1784	eaf0b16d7b5fa059bf4bc3338aa45d85_JaffaCakes118.exe	29
PID 1784 wrote to memory of 2160	1784	eaf0b16d7b5fa059bf4bc3338aa45d85_JaffaCakes118.exe	29
PID 1784 wrote to memory of 2160	1784	eaf0b16d7b5fa059bf4bc3338aa45d85_JaffaCakes118.exe	29
PID 2160 wrote to memory of 1344	2160	X	21
PID 2168 wrote to memory of 336	2168	explorer.exe	2
PID 336 wrote to memory of 2136	336	csrss.exe	30
PID 336 wrote to memory of 2136	336	csrss.exe	30
PID 336 wrote to memory of 3024	336	csrss.exe	31
PID 336 wrote to memory of 3024	336	csrss.exe	31

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
PID:1344
- C:\Users\Admin\AppData\Local\Temp\eaf0b16d7b5fa059bf4bc3338aa45d85_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eaf0b16d7b5fa059bf4bc3338aa45d85_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\explorer.exe
    00000074*
    3⤵
    - Deletes itself
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2168
- - C:\Users\Admin\AppData\Local\d253e49c\X
    193.105.154.210:80
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2160

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2136

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\d253e49c\@

Filesize
2KB

MD5
52cfc02d36193d30588353255022c683

SHA1
b1e0b1403c65c78c59a9717a2191cb4fe536d505

SHA256
fdbf68765b8ccb9a63c75ac51ae22a3df97b90700281ff0b8954dbe286416581

SHA512
cda1db5df8c7d3ef793fcce7c99a1146279996c4511fbd2be1903532fdcb1e559f0ae199a7bc1a165b0f651b02d99b6e95ef066d15f259e3851b9371c8da0d9e

Download Submit
C:\Users\Admin\AppData\Local\d253e49c\X

Filesize
41KB

MD5
686b479b0ee164cf1744a8be359ebb7d

SHA1
8615e8f967276a85110b198d575982a958581a07

SHA256
fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b

SHA512
7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64

Download Submit
C:\Windows\system32\consrv.DLL

Filesize
31KB

MD5
dafc4a53954b76c5db1d857e955f3805

SHA1
a18fa0d38c6656b4398953e77e87eec3b0209ef3

SHA256
c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b

SHA512
745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
75f12a889081632fb877168a1f17259b

SHA1
f1b61e77bbdb68dddcb42ea7f3b9f29510ca6a6b

SHA256
8a0d0d57b51a15a2eec758edeb0afca7d487305eb51358c115134b82d4b62fc8

SHA512
38930d6758c1737a58c3e06a217b744de380027f38170e881391342db31e57be9070ca742a13d3f9aab8a823e64377780aa6516a0b81efc366d2e21dc2f59675

Download Submit
memory/336-41-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/336-40-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/1344-43-0x00000000029A0000-0x00000000029A8000-memory.dmp

Filesize
32KB

Download
memory/1344-22-0x00000000029A0000-0x00000000029A8000-memory.dmp

Filesize
32KB

Download
memory/1344-17-0x00000000029B0000-0x00000000029BB000-memory.dmp

Filesize
44KB

Download
memory/1344-13-0x00000000029B0000-0x00000000029BB000-memory.dmp

Filesize
44KB

Download
memory/1344-23-0x00000000029C0000-0x00000000029CB000-memory.dmp

Filesize
44KB

Download
memory/1344-21-0x00000000029B0000-0x00000000029BB000-memory.dmp

Filesize
44KB

Download
memory/1344-44-0x00000000029C0000-0x00000000029CB000-memory.dmp

Filesize
44KB

Download
memory/1784-11-0x00000000007F4000-0x0000000000824000-memory.dmp

Filesize
192KB

Download
memory/1784-2-0x0000000000400000-0x00000000004495F0-memory.dmp

Filesize
293KB

Download
memory/1784-42-0x0000000000400000-0x00000000004495F0-memory.dmp

Filesize
293KB

Download
memory/2168-28-0x00000000003F0000-0x0000000000404000-memory.dmp

Filesize
80KB

Download
memory/2168-33-0x00000000003F0000-0x0000000000404000-memory.dmp

Filesize
80KB

Download
memory/2168-5-0x00000000003F0000-0x0000000000404000-memory.dmp

Filesize
80KB

Download
memory/2168-1-0x00000000000E0000-0x00000000000F2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads