blackmoon | 32e061867b3971b73cbf19670579e1951c453b75b3cede97d2d28f967246d8e5

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7823a8603489f856d6bedb40a29f8cc_JaffaCakes118.exe
Size

627KB
MD5

f7823a8603489f856d6bedb40a29f8cc
SHA1

6f2679ccbdb758e5002326af810d88f2be6a2f76
SHA256

32e061867b3971b73cbf19670579e1951c453b75b3cede97d2d28f967246d8e5
SHA512

c17f62d6dbb6684de28e57e28c407ab99d7b33944d1dc7cedc929a8417a5862f3e586fa2ac53f78674da8dd60654141fbbd1ae5f4b805fe5f557ed9988b1c7bc
SSDEEP

12288:butrzh9xOXkFnM9hyQ45FYU6n564fL9abBEna48tzKFBTqWZUHCaRDMC3fQkJ+10:butr5OUFM9he6564fL9LnaVzYBTqwra9

Score

10^/10

blackmoon banker persistence trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015c52-9.dat	family_blackmoon

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Executes dropped EXE 6 IoCs

pid	Process
1216	smss.exe
1344	PsE.exe
2552	PSEXESVC.EXE
2188	PsE.exe
2096	svchost.exe
1840	nets2012.exe

Loads dropped DLL 7 IoCs

pid	Process
2756	f7823a8603489f856d6bedb40a29f8cc_JaffaCakes118.exe
2756	f7823a8603489f856d6bedb40a29f8cc_JaffaCakes118.exe
1920	WerFault.exe
1920	WerFault.exe
2192	regsvr32.exe
1840	nets2012.exe
1920	WerFault.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015c2f-24.dat	upx
behavioral1/memory/2096-25-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral1/memory/2096-27-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral1/files/0x000b000000014fe1-28.dat	upx
behavioral1/memory/1840-29-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1840-49-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\SYSTEN = "0"	smss.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	nets2012.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\PSEXESVC.EXE	PsE.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2000	sc.exe
2440	sc.exe
2168	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1920	1216	WerFault.exe	28

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	regsvr32.exe

Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2096	svchost.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	2096	svchost.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe
Token: SeDebugPrivilege	1216	smss.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1840	nets2012.exe
1840	nets2012.exe
1840	nets2012.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 1216	2756	f7823a8603489f856d6bedb40a29f8cc_JaffaCakes118.exe	28
PID 2756 wrote to memory of 1216	2756	f7823a8603489f856d6bedb40a29f8cc_JaffaCakes118.exe	28
PID 2756 wrote to memory of 1216	2756	f7823a8603489f856d6bedb40a29f8cc_JaffaCakes118.exe	28
PID 2756 wrote to memory of 1216	2756	f7823a8603489f856d6bedb40a29f8cc_JaffaCakes118.exe	28
PID 2756 wrote to memory of 1216	2756	f7823a8603489f856d6bedb40a29f8cc_JaffaCakes118.exe	28
PID 2756 wrote to memory of 1216	2756	f7823a8603489f856d6bedb40a29f8cc_JaffaCakes118.exe	28
PID 2756 wrote to memory of 1216	2756	f7823a8603489f856d6bedb40a29f8cc_JaffaCakes118.exe	28
PID 1216 wrote to memory of 2440	1216	smss.exe	29
PID 1216 wrote to memory of 2440	1216	smss.exe	29
PID 1216 wrote to memory of 2440	1216	smss.exe	29
PID 1216 wrote to memory of 2440	1216	smss.exe	29
PID 1216 wrote to memory of 2440	1216	smss.exe	29
PID 1216 wrote to memory of 2440	1216	smss.exe	29
PID 1216 wrote to memory of 2440	1216	smss.exe	29
PID 1216 wrote to memory of 2524	1216	smss.exe	31
PID 1216 wrote to memory of 2524	1216	smss.exe	31
PID 1216 wrote to memory of 2524	1216	smss.exe	31
PID 1216 wrote to memory of 2524	1216	smss.exe	31
PID 1216 wrote to memory of 2524	1216	smss.exe	31
PID 1216 wrote to memory of 2524	1216	smss.exe	31
PID 1216 wrote to memory of 2524	1216	smss.exe	31
PID 1216 wrote to memory of 2564	1216	smss.exe	33
PID 1216 wrote to memory of 2564	1216	smss.exe	33
PID 1216 wrote to memory of 2564	1216	smss.exe	33
PID 1216 wrote to memory of 2564	1216	smss.exe	33
PID 1216 wrote to memory of 2564	1216	smss.exe	33
PID 1216 wrote to memory of 2564	1216	smss.exe	33
PID 1216 wrote to memory of 2564	1216	smss.exe	33
PID 1216 wrote to memory of 2692	1216	smss.exe	35
PID 1216 wrote to memory of 2692	1216	smss.exe	35
PID 1216 wrote to memory of 2692	1216	smss.exe	35
PID 1216 wrote to memory of 2692	1216	smss.exe	35
PID 1216 wrote to memory of 2692	1216	smss.exe	35
PID 1216 wrote to memory of 2692	1216	smss.exe	35
PID 1216 wrote to memory of 2692	1216	smss.exe	35
PID 1216 wrote to memory of 1344	1216	smss.exe	37
PID 1216 wrote to memory of 1344	1216	smss.exe	37
PID 1216 wrote to memory of 1344	1216	smss.exe	37
PID 1216 wrote to memory of 1344	1216	smss.exe	37
PID 1216 wrote to memory of 1344	1216	smss.exe	37
PID 1216 wrote to memory of 1344	1216	smss.exe	37
PID 1216 wrote to memory of 1344	1216	smss.exe	37
PID 2552 wrote to memory of 2396	2552	PSEXESVC.EXE	40
PID 2552 wrote to memory of 2396	2552	PSEXESVC.EXE	40
PID 2552 wrote to memory of 2396	2552	PSEXESVC.EXE	40
PID 2552 wrote to memory of 2396	2552	PSEXESVC.EXE	40
PID 1216 wrote to memory of 2188	1216	smss.exe	42
PID 1216 wrote to memory of 2188	1216	smss.exe	42
PID 1216 wrote to memory of 2188	1216	smss.exe	42
PID 1216 wrote to memory of 2188	1216	smss.exe	42
PID 1216 wrote to memory of 2188	1216	smss.exe	42
PID 1216 wrote to memory of 2188	1216	smss.exe	42
PID 1216 wrote to memory of 2188	1216	smss.exe	42
PID 2396 wrote to memory of 2096	2396	cmd.exe	44
PID 2396 wrote to memory of 2096	2396	cmd.exe	44
PID 2396 wrote to memory of 2096	2396	cmd.exe	44
PID 2396 wrote to memory of 2096	2396	cmd.exe	44
PID 1216 wrote to memory of 1920	1216	smss.exe	48
PID 1216 wrote to memory of 1920	1216	smss.exe	48
PID 1216 wrote to memory of 1920	1216	smss.exe	48
PID 1216 wrote to memory of 1920	1216	smss.exe	48
PID 1216 wrote to memory of 1920	1216	smss.exe	48
PID 1216 wrote to memory of 1920	1216	smss.exe	48
PID 1216 wrote to memory of 1920	1216	smss.exe	48

C:\Users\Admin\AppData\Local\Temp\f7823a8603489f856d6bedb40a29f8cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7823a8603489f856d6bedb40a29f8cc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756
- C:\windows\temp\smss.exe
  "C:\windows\temp\smss.exe"
  2⤵
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" config seclogon start= auto
    3⤵
    - Launches sc.exe
    PID:2440
- - C:\Windows\SysWOW64\net1.exe
    "C:\Windows\System32\net1.exe" user SYSTEN 1 /add
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\net1.exe
    "C:\Windows\System32\net1.exe" localgroup administrators SYSTEN /add
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\net1.exe
    "C:\Windows\System32\net1.exe" localgroup users SYSTEN /delete
    3⤵
    PID:2692
- - C:\Windows\PsE.exe
    "C:\Windows\PsE.exe" /accepteula -s -d cmd /c set ALLUSERSPROFILE=C:\Documents and Settings\SYSTEN&start c:\windows\temp\92\svchost.exe "|14112"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1344
- - C:\Windows\PsE.exe
    "C:\Windows\PsE.exe" /accepteula -d -u systen -p 1 c:\windows\temp\58\nets2012.exe
    3⤵
    - Executes dropped EXE
    PID:2188
  - - \??\c:\windows\temp\58\nets2012.exe
      "c:\windows\temp\58\nets2012.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      PID:1840
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Windows\system32\MSWINSCK.OCX"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:2192
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config winmgmt start= demand
        5⤵
        Launches sc.exe
        
        PID:2168
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start winmgmt
        5⤵
        Launches sc.exe
        
        PID:2000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 728
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1920

C:\Windows\PSEXESVC.EXE
C:\Windows\PSEXESVC.EXE
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\system32\cmd.exe
  "cmd" /c set ALLUSERSPROFILE=C:\Documents and Settings\SYSTEN&start c:\windows\temp\92\svchost.exe "|14112"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - \??\c:\windows\temp\92\svchost.exe
    c:\windows\temp\92\svchost.exe "|14112"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\SYSTEN\AppData\Local\Temp\~DF08A3.TMP

Filesize
5KB

MD5
ed906b155634081c2ba704dac41dd113

SHA1
2911c309009784184713f06cd9eb272429136c49

SHA256
bf91a6c37ea887df959d86bf39adb095d76a68df5197be86558d6be9a766121d

SHA512
2b38be9cd5db5df2d0b15d30b4b62ee210f23c658ce1c1c3f8ef69d9437f12bfd62e9c2ab6c572936f57dfe41bde702777e5cc5931af14878b0101e1e11556ac

Download Submit
C:\Windows\PSEXESVC.EXE

Filesize
176KB

MD5
a283e768fa12ef33087f07b01f82d6dd

SHA1
26c0c7fbc2ee8b2aa8c1ae0f76af95d5fda72903

SHA256
1d4d787047200fc7bcbfc03a496cafda8e49075d2fbf2ff7feab90a4fdea8f89

SHA512
aa7118bc1c38196ceb2d240ca92a76dfcc26f9dc24613d1839d730973b09c2d9ad8907263561c9ae69cf860667fe27a0d7142b4a19f172a6bbb250c3bc53f164

Download Submit
C:\Windows\PsE.exe

Filesize
372KB

MD5
3edbec081d4776b2e9e4ad9332d6a7d8

SHA1
f8119de30824905a72306417d9362b8f4319b1db

SHA256
61a2aaf4dbbaee335febc5eab6a1a66e4c87ad77ae87b54f1df1de59c0371368

SHA512
2d6a5c996bf83de49705bda020d7680b4902dbe70aea77d4b0847eca79b8a115a2075ac8af854a874e1e58b4ad9b01da53e769046983d5a6cd6840afb2f43317

Download Submit
C:\Windows\Temp\58\nets2012.exe

Filesize
85KB

MD5
9769a9a6c3dd1fdab61f8351a152be87

SHA1
2142ca7cd061ba0c642043a9da50027dabb7380c

SHA256
07981c6801517f3069bf2bfb68793e8e2a2a18ab6255511a6db9df58741a2292

SHA512
b9642e8222ef6f3c1f7d22643877044ccbbf721e0f7a02b74bc696699440395f0796916066b70985fb596aef01a5c1bb5368a1a2a1e3d04b32e21534215473a9

Download Submit
C:\Windows\Temp\92\svchost.exe

Filesize
304KB

MD5
a5e664dc8e5fda2050830d0083a5de9f

SHA1
315b4186191391b8f823408edc7a51621d34c22f

SHA256
dab06ee7b412715f1663366928e0edee20acb1e7d4ada99e420d91d87c85258a

SHA512
2f37b2e45c3e4a53520b31d57e151d2e647fdefc8471077f674ef6eb4f07eeb96c0aabd05c82e3beae7fc9534c96a8e40f93a6a6ed3703546b16c35231f0ffbe

Download Submit
\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Windows\Temp\smss.exe

Filesize
137KB

MD5
9b51ba0e6a7518b73bbae1678282301d

SHA1
b4c300f22fb485d83bbec5cebd9fd35d20857785

SHA256
a9bec13d18dc54b08f745ae5ef1ade08fd124e133fa13678aa957225740adbd4

SHA512
95129e19162bc4a779a3c6e88a0471a3a500c765b702d11bae4329818068a0148c32050de771b648c95c9ed34169c1fff7829fcbba5c8f42dbb8dda8f37d4f0e

Download Submit
memory/1840-29-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1840-49-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2096-25-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2096-27-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads