1c635c001ca5df8145fd61cd24a9477046530213b4abb43e94efb345a2f9319f

General

Target

ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe
Size

337KB
MD5

ec9df387cd3f6fc37843c09ea8a40a58
SHA1

6f28723c9892e7325ffc3424510a165df11c3071
SHA256

1c635c001ca5df8145fd61cd24a9477046530213b4abb43e94efb345a2f9319f
SHA512

7428ddd47085d1b3cd3c04e875ba7b3e31785903bb5566622f7826d1bf78c739eba641939e3fac6a559035d4f374fbf3eb07d5d72876106e5e56d1222ef19bcd
SSDEEP

6144:/77h1tqkKl+L7gtXs27jIsP+bL/c6PPQHEj+UyWdmuIuqDxi:j7h1tq76gtJIsqLbPQkjv7dOI

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\984f37b0\\X"	Explorer.EXE

Deletes itself 1 IoCs

pid	Process
1176	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
336	csrss.exe
2516	X

Loads dropped DLL 2 IoCs

pid	Process
1740	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe
1740	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1740 set thread context of 1176	1740	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe	31

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{a4719278-fb0d-d8bd-58e3-12da99d6197a}	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{a4719278-fb0d-d8bd-58e3-12da99d6197a}\u = "42"	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{a4719278-fb0d-d8bd-58e3-12da99d6197a}\cid = "3688531462076812843"	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1740	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe
1740	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe
1740	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe
2516	X

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe
Token: SeDebugPrivilege	1740	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 336	1740	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe	2
PID 1740 wrote to memory of 2516	1740	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2516	1740	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2516	1740	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2516	1740	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe	28
PID 2516 wrote to memory of 1244	2516	X	21
PID 336 wrote to memory of 2688	336	csrss.exe	29
PID 336 wrote to memory of 2688	336	csrss.exe	29
PID 336 wrote to memory of 2380	336	csrss.exe	30
PID 336 wrote to memory of 2380	336	csrss.exe	30
PID 1740 wrote to memory of 1176	1740	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe	31
PID 1740 wrote to memory of 1176	1740	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe	31
PID 1740 wrote to memory of 1176	1740	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe	31
PID 1740 wrote to memory of 1176	1740	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe	31
PID 1740 wrote to memory of 1176	1740	ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe	31

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
PID:1244
- C:\Users\Admin\AppData\Local\Temp\ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ec9df387cd3f6fc37843c09ea8a40a58_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\984f37b0\X
    76.76.13.94:80
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:1176

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2688

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\984f37b0\@

Filesize
2KB

MD5
4cde816b166742fc958541af01e8db94

SHA1
d8d5563451b31e8e1d4bba8bf34b11a74344fc29

SHA256
037dc76abfdafc9c7b60c4f22eeef9af30e72608ee3ffbc24c6898bf4fb93813

SHA512
edae7b58b130e05907e90e4959582baf93316174654fbc4a4fe01d7040205ac572cd56a8027d83c9fabed94392e117ef71c49adc51e96f0e35ce85772b043c7b

Download Submit
\Users\Admin\AppData\Local\984f37b0\X

Filesize
41KB

MD5
686b479b0ee164cf1744a8be359ebb7d

SHA1
8615e8f967276a85110b198d575982a958581a07

SHA256
fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b

SHA512
7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64

Download Submit
\Windows\System32\consrv.dll

Filesize
31KB

MD5
dafc4a53954b76c5db1d857e955f3805

SHA1
a18fa0d38c6656b4398953e77e87eec3b0209ef3

SHA256
c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b

SHA512
745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
5039a152126ccbd5a778b5e25a50d935

SHA1
688a2b5c40c0c2d365d103b3f86280c25218309e

SHA256
2107ef7427aa0f22b08978f317a9959e0df58c661996e6fd73618161db5ec580

SHA512
be14e51c8f5de0ac2dafae1ae72ee6c1796e4adc2b398661c2bb78ad96f496dd78dd9fd3c30415b98b264d054e0674ac19f0166e359fb01e1b620aea683ff06b

Download Submit
memory/336-17-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download
memory/336-19-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download
memory/1244-41-0x0000000002990000-0x000000000299B000-memory.dmp

Filesize
44KB

Download
memory/1244-49-0x00000000029A0000-0x00000000029AB000-memory.dmp

Filesize
44KB

Download
memory/1244-44-0x00000000029A0000-0x00000000029AB000-memory.dmp

Filesize
44KB

Download
memory/1244-31-0x0000000002990000-0x000000000299B000-memory.dmp

Filesize
44KB

Download
memory/1244-42-0x00000000029A0000-0x00000000029AB000-memory.dmp

Filesize
44KB

Download
memory/1244-37-0x0000000002990000-0x000000000299B000-memory.dmp

Filesize
44KB

Download
memory/1244-35-0x0000000002980000-0x0000000002988000-memory.dmp

Filesize
32KB

Download
memory/1740-18-0x0000000002270000-0x0000000002370000-memory.dmp

Filesize
1024KB

Download
memory/1740-3-0x0000000000460000-0x000000000048C000-memory.dmp

Filesize
176KB

Download
memory/1740-30-0x0000000000400000-0x000000000045CCA0-memory.dmp

Filesize
371KB

Download
memory/1740-6-0x0000000000460000-0x000000000048C000-memory.dmp

Filesize
176KB

Download
memory/1740-21-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/1740-33-0x0000000002270000-0x0000000002370000-memory.dmp

Filesize
1024KB

Download
memory/1740-20-0x0000000000400000-0x000000000045CCA0-memory.dmp

Filesize
371KB

Download
memory/1740-2-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/1740-15-0x0000000000460000-0x000000000048C000-memory.dmp

Filesize
176KB

Download
memory/1740-47-0x0000000000400000-0x000000000045CCA0-memory.dmp

Filesize
371KB

Download
memory/1740-48-0x0000000000460000-0x000000000048C000-memory.dmp

Filesize
176KB

Download
memory/1740-1-0x0000000000400000-0x000000000045CCA0-memory.dmp

Filesize
371KB

Download
memory/1740-9-0x0000000000460000-0x000000000048C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads