75f3a7f4dc2f0256b09f08383e9ed1d0736e89e763c585a7c2bec090fff06ebb

Analysis

max time kernel
5s
max time network
141s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 04:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe
Size

106KB
MD5

ecb1017ccc385dbee908f234f0bca35e
SHA1

a31bcdb9705933d2a29dd82048bf5ae639e3b909
SHA256

75f3a7f4dc2f0256b09f08383e9ed1d0736e89e763c585a7c2bec090fff06ebb
SHA512

a52c2f0674587d15b0b67b8df64604337fdcd7486302aa0b44f783dd839caac5be24ee689da0195736e04e37a5995902c287436af09073699eda5f4297ca8578
SSDEEP

1536:rjPzy7rAVb3n3gX72IEJ5NwE4G/a3hd+g/4gNxlfY:vPzyXANQX729D4G/aR34gLlw

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe"	h2s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe"	nacl.exe

Disables RegEdit via registry modification 3 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nacl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	h2s.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 6 IoCs

pid	Process
2492	h2s.exe
2144	lsass.exe
1832	h2s.exe
1200	nacl.exe
2756	lsass.exe
1840	lsass.exe

Loads dropped DLL 4 IoCs

pid	Process
2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe
2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe
2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe
2492	h2s.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2896-0-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/files/0x00090000000155e2-8.dat	upx
behavioral1/memory/2492-26-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2144-41-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1832-72-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2896-78-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2492-79-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2896-80-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2144-81-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2756-83-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1200-82-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2144-97-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2144-188-0x0000000000400000-0x0000000000460000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\nacl.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\nacl.exe"	nacl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\nacl.exe"	h2s.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\nacl.exe	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe
File created	C:\WINDOWS\system\lsass.exe	h2s.exe
File opened for modification	C:\WINDOWS\nacl.exe	h2s.exe
File created	C:\WINDOWS\userinit.exe	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe
File created	C:\WINDOWS\h2s.exe	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\h2s.exe	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe
File created	C:\WINDOWS\system\lsass.exe	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe
File created	C:\WINDOWS\nacl.exe	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\system\lsass.exe	h2s.exe
File opened for modification	C:\WINDOWS\userinit.exe	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\system\lsass.exe	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe
File created	C:\WINDOWS\nacl.exe	h2s.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000008b585d251100557365727300600008000400efbeee3a851a8b585d252a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000005558027f100041646d696e00380008000400efbe555882765558027f2a00000030000000000004000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 520031000000000055588276122041707044617461003c0008000400efbe55588276555882762a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a003100000000008b585d25102054656d700000360008000400efbe555882768b585d252a00000001020000000002000000000000000000000000000000540065006d007000000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = a2003100000000008b585d2510204543423130317e3100008a0008000400efbe8b585d258b585d252a000000d4550100000007000000000000000000000000000000650063006200310030003100370063006300630033003800350064006200650065003900300038006600320033003400660030006200630061003300350065005f004a006100660066006100430061006b0065007300310031003800000018000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c003100000000005558c87910204c6f63616c00380008000400efbe555882765558c8792a000000000200000000020000000000000000000000000000004c006f00630061006c00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2492	h2s.exe
2144	lsass.exe
2492	h2s.exe
2144	lsass.exe
1832	h2s.exe
1200	nacl.exe
2144	lsass.exe
1200	nacl.exe
2144	lsass.exe
1200	nacl.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe
2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe
2492	h2s.exe
2492	h2s.exe
2144	lsass.exe
2144	lsass.exe
1832	h2s.exe
1200	nacl.exe
1832	h2s.exe
1200	nacl.exe
2756	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2680	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	28
PID 2896 wrote to memory of 2680	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	28
PID 2896 wrote to memory of 2680	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	28
PID 2896 wrote to memory of 2680	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	28
PID 2896 wrote to memory of 2492	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	30
PID 2896 wrote to memory of 2492	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	30
PID 2896 wrote to memory of 2492	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	30
PID 2896 wrote to memory of 2492	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2808	2680	cmd.exe	31
PID 2680 wrote to memory of 2808	2680	cmd.exe	31
PID 2680 wrote to memory of 2808	2680	cmd.exe	31
PID 2680 wrote to memory of 2808	2680	cmd.exe	31
PID 2492 wrote to memory of 2292	2492	h2s.exe	32
PID 2492 wrote to memory of 2292	2492	h2s.exe	32
PID 2492 wrote to memory of 2292	2492	h2s.exe	32
PID 2492 wrote to memory of 2292	2492	h2s.exe	32
PID 2808 wrote to memory of 2792	2808	net.exe	33
PID 2808 wrote to memory of 2792	2808	net.exe	33
PID 2808 wrote to memory of 2792	2808	net.exe	33
PID 2808 wrote to memory of 2792	2808	net.exe	33
PID 2896 wrote to memory of 2144	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	35
PID 2896 wrote to memory of 2144	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	35
PID 2896 wrote to memory of 2144	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	35
PID 2896 wrote to memory of 2144	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	35
PID 2292 wrote to memory of 1588	2292	cmd.exe	36
PID 2292 wrote to memory of 1588	2292	cmd.exe	36
PID 2292 wrote to memory of 1588	2292	cmd.exe	36
PID 2292 wrote to memory of 1588	2292	cmd.exe	36
PID 1588 wrote to memory of 2684	1588	net.exe	37
PID 1588 wrote to memory of 2684	1588	net.exe	37
PID 1588 wrote to memory of 2684	1588	net.exe	37
PID 1588 wrote to memory of 2684	1588	net.exe	37
PID 2144 wrote to memory of 2484	2144	lsass.exe	38
PID 2144 wrote to memory of 2484	2144	lsass.exe	38
PID 2144 wrote to memory of 2484	2144	lsass.exe	38
PID 2144 wrote to memory of 2484	2144	lsass.exe	38
PID 2484 wrote to memory of 1592	2484	cmd.exe	40
PID 2484 wrote to memory of 1592	2484	cmd.exe	40
PID 2484 wrote to memory of 1592	2484	cmd.exe	40
PID 2484 wrote to memory of 1592	2484	cmd.exe	40
PID 1592 wrote to memory of 700	1592	net.exe	41
PID 1592 wrote to memory of 700	1592	net.exe	41
PID 1592 wrote to memory of 700	1592	net.exe	41
PID 1592 wrote to memory of 700	1592	net.exe	41
PID 2896 wrote to memory of 1372	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	43
PID 2896 wrote to memory of 1372	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	43
PID 2896 wrote to memory of 1372	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	43
PID 2896 wrote to memory of 1372	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	43
PID 2896 wrote to memory of 1832	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	45
PID 2896 wrote to memory of 1832	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	45
PID 2896 wrote to memory of 1832	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	45
PID 2896 wrote to memory of 1832	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	45
PID 2492 wrote to memory of 1200	2492	h2s.exe	46
PID 2492 wrote to memory of 1200	2492	h2s.exe	46
PID 2492 wrote to memory of 1200	2492	h2s.exe	46
PID 2492 wrote to memory of 1200	2492	h2s.exe	46
PID 1832 wrote to memory of 2736	1832	h2s.exe	47
PID 1832 wrote to memory of 2736	1832	h2s.exe	47
PID 1832 wrote to memory of 2736	1832	h2s.exe	47
PID 1832 wrote to memory of 2736	1832	h2s.exe	47
PID 2896 wrote to memory of 2756	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	49
PID 2896 wrote to memory of 2756	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	49
PID 2896 wrote to memory of 2756	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	49
PID 2896 wrote to memory of 2756	2896	ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe	49

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0"	nacl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	h2s.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0"	h2s.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	nacl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	nacl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	h2s.exe

C:\Users\Admin\AppData\Local\Temp\ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\net.exe
    net share "phim_hai_hay=C:\Documents and Settings\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"
      4⤵
      PID:2792
- C:\WINDOWS\h2s.exe
  C:\WINDOWS\h2s.exe
  2⤵
  - Modifies WinLogon for persistence
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\net.exe
      net share "phim_hai_hay=C:\Documents and Settings\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"
        5⤵
        
        PID:2684
- - C:\WINDOWS\nacl.exe
    C:\WINDOWS\nacl.exe
    3⤵
    - Modifies WinLogon for persistence
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1200
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
      4⤵
      PID:2040
- - C:\WINDOWS\system\lsass.exe
    C:\WINDOWS\system\lsass.exe
    3⤵
    - Executes dropped EXE
    PID:1840
- C:\WINDOWS\system\lsass.exe
  C:\WINDOWS\system\lsass.exe
  2⤵
  - Modifies WinLogon for persistence
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\SysWOW64\net.exe
      net share "phim_hai_hay=C:\Documents and Settings\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"
        5⤵
        
        PID:700
- C:\Windows\SysWOW64\explorer.exe
  explorer ecb1017ccc385dbee908f234f0bca35e_JaffaCakes118
  2⤵
  PID:1372
- C:\WINDOWS\h2s.exe
  C:\WINDOWS\h2s.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
    3⤵
    PID:2736
- C:\WINDOWS\system\lsass.exe
  C:\WINDOWS\system\lsass.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2756

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\1[1].htm

Filesize
1KB

MD5
9b697b0c15ef6a9ed29033f748f7f323

SHA1
64dc8b73ec39bf59367567433d4b1ec88b60841f

SHA256
06c849706c9abbb8761e45316f6c1863c7692bf56089eb7fbb6e560644cadb4c

SHA512
13eb9ace13a1abcd58962314bab618d7399dacfa0d474afc990c2f91ac167a5a76544a18bc5211f1328a59a94c145d6f6840408eac405b9b805fc87f35b7fe8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\2[1].htm

Filesize
1KB

MD5
cb947e39831f67e7c0fa85da7541f86b

SHA1
48c5654c45cfbb81e2d3acc4530272d453df7932

SHA256
050313a720b2a0b9b61515a51b932880affec3c8b26b8f92d8a1573499bae922

SHA512
77a853b2182af9b6551118e3b502855e4abf6a836c7f03f331526c4dfc5604df7d9b16c1d897bc66461829d669d6739005f45f0c5cb0605b0a0992534d4d631e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\3[1].htm

Filesize
1KB

MD5
c353188f7023726c62badda92cae15c0

SHA1
970bfc708d8c4eca9c79ca040bdae8795d351f87

SHA256
e2360b8f8ffbd2efde2ddc81fc5c7676977995001ab127ee2a05780292382618

SHA512
c661e120ac651aa3c3e2f5236882f89525ec076b362fb05c9c4a6283b3b552fe06d3e56c5f97ac3b3b58700520505c5be5486d3784a9f980f094c3111cb5a033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\4[1].htm

Filesize
1KB

MD5
1537d18312c22cbb7462d039ee5024c5

SHA1
303cb066d17b508e1b7e1ac56489feb99f040e19

SHA256
ee92a5794f932ce56e82d307e871a1d1a6a1142d55431ef9b21801a4cd477cbf

SHA512
32c8c9fbd6bcb2d504d20bbee861f30d9ebb6da891b0c8665bc7770370ef84c58ed12565804cb50a9e3318f997d89f7e03d58787b2cdfae9415f190f5eeca8b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\5[1].htm

Filesize
1KB

MD5
198d248ebbdaddec996aa447b3de0668

SHA1
0e864d045e084cef70a5964d9f13f065812df92b

SHA256
ddfa271141defad04a6d944507412539fa89207840605d09382a3ff2831fc617

SHA512
39e1df35c33fbdba57be60aef9e7a9f4c88915270477fba113faaba0895094b3ffd2b2596d6595c6c292efdf8e085e44c2326509b4b6ef94fcafd4a51425f37f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\5[2].htm

Filesize
1KB

MD5
b292fe9be86b00ac1672a7ad3540a3eb

SHA1
ddb6450dfbb638d0d4e8a7279f0a43f337549501

SHA256
ff8e2b5377c910b1d0f289a9c6eb92f9c4ef4964689c1072a126ea665ea8d155

SHA512
e5d1775f14edbdd9f7fff9d3783b36af64ea7a57b4d9e1f15eef01343dc16f36aded64ee9ed446146f1acb0a310b416962ec742f13c2101eb7a19856dfd69f57

Download Submit
C:\WINDOWS\system32\drivers\etc\hosts

Filesize
578B

MD5
4cedd41692993cf5a0a40baeb724b871

SHA1
fc1eeb1d88966ea4a816bcbdab320830b6f70261

SHA256
fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

SHA512
e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

Download Submit
C:\Windows\h2s.exe

Filesize
106KB

MD5
ecb1017ccc385dbee908f234f0bca35e

SHA1
a31bcdb9705933d2a29dd82048bf5ae639e3b909

SHA256
75f3a7f4dc2f0256b09f08383e9ed1d0736e89e763c585a7c2bec090fff06ebb

SHA512
a52c2f0674587d15b0b67b8df64604337fdcd7486302aa0b44f783dd839caac5be24ee689da0195736e04e37a5995902c287436af09073699eda5f4297ca8578

Download Submit
memory/1068-77-0x0000000003A10000-0x0000000003A20000-memory.dmp

Filesize
64KB

Download
memory/1068-76-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/1068-120-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/1200-82-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1832-72-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2144-81-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2144-41-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2144-188-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2144-97-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2492-26-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2492-108-0x0000000002640000-0x00000000026A0000-memory.dmp

Filesize
384KB

Download
memory/2492-79-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2492-55-0x0000000002640000-0x00000000026A0000-memory.dmp

Filesize
384KB

Download
memory/2756-83-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2896-78-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2896-24-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/2896-80-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2896-23-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/2896-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download