5f6f366287fad44e4394a6a6e828b4a4ecf5a817dd8be05cbc66b30c28b7ef3b

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8b51e5454a4604f8e200064aa1e0578_JaffaCakes118.exe
Size

21KB
MD5

f8b51e5454a4604f8e200064aa1e0578
SHA1

7f9d831223b5860818940d0a964542afc55c895f
SHA256

5f6f366287fad44e4394a6a6e828b4a4ecf5a817dd8be05cbc66b30c28b7ef3b
SHA512

ec98429da53b543ddf120d248706df781056febf0c42b4b1582f9e3f5521c3f0d9e129b1ad1617a253eaeb3f029736b4fc05ff783506ef914afbcf2abc1e5fab
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBPI0VD/j:1M3PnQoHDCpHf4I4Qwdc0G5KDJ9I0VD7

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	f8b51e5454a4604f8e200064aa1e0578_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
2448	winlogon.exe
2928	AE 0124 BE.exe
532	winlogon.exe
1332	winlogon.exe

Loads dropped DLL 8 IoCs

pid	Process
1340	f8b51e5454a4604f8e200064aa1e0578_JaffaCakes118.exe
1340	f8b51e5454a4604f8e200064aa1e0578_JaffaCakes118.exe
2448	winlogon.exe
2448	winlogon.exe
532	winlogon.exe
2928	AE 0124 BE.exe
2928	AE 0124 BE.exe
1332	winlogon.exe

Drops desktop.ini file(s) 48 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wvmic.inf_amd64_neutral_b94eb92e8150fa35\wvmic.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\pnrpnsp.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_prompts.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GSC45006.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\koc451X.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\NR7500.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\oledlg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\secinit.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDKHMR.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\NlsData0013.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\imapi2.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpb8500t.gpd	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\KYCS2520.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\Amd64\RIA1616.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\sml285.gpd	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~pt-BR~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~th-TH~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnfx002.inf_amd64_neutral_b6dd354531184f64\Amd64\FXUCSR01.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\EhStorAuthn.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\MMFUtil.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\XPSViewer\ja-JP\XPSViewer.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\wialx002.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_neutral_7a5f47d3150cc0eb\i8042prt.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Mystify.scr.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\PortableDeviceSyncProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\SensorsAlsDriver.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\shgina.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\eval\Enterprise	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\OEM\EnterpriseE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\c_28603.nls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\iologmsg.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00f.inf_amd64_neutral_a5f6001b957bd7e0\Amd64\EP0NCA8C.CMB	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\scesrv.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\adsmsext.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\hid.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\xwizards.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\dhcpcsvc6.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msvcp110_clr0400.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\fontext.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\azroles.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\msdri.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\LogFiles\SQM\SQMLogger.etl.004	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\cryptdlg.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-Foundation-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\AMDSBS.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64\EP0LB03A.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnok302.inf_amd64_ja-jp_708c81a8b0ad8846\prnok302.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\DeviceCenter.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\msidntld.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fwcfg.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MediaCenter-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NOEUK.DXT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\ndadmin.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\_Default\StarterE\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\rasmontr.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\xpsshhdr.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\csv.xsl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Dism\fr-FR\SmiProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrUsbSti.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\fr-FR\WinMgmt.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\multiprt.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\cmstp.exe.mui	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-i..tbranding.resources_31bf3856ad364e35_8.0.7600.16385_de-de_67de80c9f0b791b9	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-tapi3.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bdb32e8f00c7224f	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e9ea273bf74e2d7d\weather.js	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\novelty_s.png	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersistSqlState.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\fr-FR\PresentationHostDLL.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0\h8514oem.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-c..fcounters.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fc20f78323775e2a\msdtcprf.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-deskadp_31bf3856ad364e35_6.1.7600.16385_none_0ba0c327983ae555\deskadp.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\1031\cscompui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..lient-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ea7b6ad3106c032c	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..e-cleanup.resources_31bf3856ad364e35_6.1.7601.17514_es-es_f2b649efd693c800	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2c48320222acbc55	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmbr00a.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6350318f60f895fb	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-r..e-rassstp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_449f95d072a7ae4d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_wcf-system.identitymodel.selectors_b03f5f7f11d50a3a_6.1.7600.16385_none_f04b673ed8e1d20c	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmagm64.inf_31bf3856ad364e35_6.1.7600.16385_none_b80813861db2b8fd\ltmdm64.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404.htm	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-efs-rekeywiz.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b92ab4cc9bb1b2bf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_6.1.7601.17514_none_a54b31331066c8e2\netfol.ico	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\ph3xibc8.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\confirmation.ascx.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~et-EE~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sonic-tables-alloc_2_31bf3856ad364e35_6.1.7600.16385_none_aa5a749643162a62	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..nttoolapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3c2e62556611645d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..icysnapin.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e2f561758c683878	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\de-DE\multboot.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\ja\SqlPersistenceService_Schema.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\FileRecovery.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Server-Help-Package.ClientUltimate~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..gement-ui.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_55fca664dc994c6c	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\wiacn001.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\SMSvcHost 4.0.0.0\001F	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-RemoteFX-RemoteClient-Setup-LanguagePack~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmbr002.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1ce68d7a186ca70f	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-rasifmon.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ae3d2ed74ebdad62	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\a7a48457faaea5fc8a1e59b4921ac4a3\SMDiagnostics.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_zh-cn_7ede8a4d6e666a18	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fax-service.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c38ba762d98099a2\FXSEVENT.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\settings_right_pressed.png	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\mdmtkr.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..cy-script.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_dc24f69ddc5eccd0	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-i..rofilerui.resources_31bf3856ad364e35_8.0.7600.16385_it-it_f1072eb4a6bcf2f7	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..mcewmdrmndbootstrap_31bf3856ad364e35_6.1.7601.17514_none_916b7987c832cdee\MCEWMDRMNDBootstrap.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\mdmsupr3.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~nb-NO~7.1.7601.16492.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..achine-ui.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_9aff6304e95e710b	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-mscorie_dll_b03f5f7f11d50a3a_6.1.7601.17514_none_7745a7291852ffc4	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnod002.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3baa2a1ed43e41f8	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\es\sysglobl.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..lders-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5f339b495aff5b3d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_server-help-chm.aclui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7bf83a0f992d1910	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d2d.resources_31bf3856ad364e35_7.1.7601.16492_fr-fr_8938e2c5df9c6284\d2d1.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Synchronization.Data.SqlServerCe\3.5.0.0__89845dcd8080cc91	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\policy.3.5.System.Data.SqlServerCe\3.5.0.0__89845dcd8080cc91\publisher.config	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-h..ragelayer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a0b8ce5c8bdc72bb\apircl.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-zipfldr.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_421e57d09ce5e7cb	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-iis-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1dcea8f1f1b0f47d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..enter-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_dab111ac8841556b	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2552	DllHost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1340	f8b51e5454a4604f8e200064aa1e0578_JaffaCakes118.exe
2448	winlogon.exe
2928	AE 0124 BE.exe
532	winlogon.exe
1332	winlogon.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2448	1340	f8b51e5454a4604f8e200064aa1e0578_JaffaCakes118.exe	29
PID 1340 wrote to memory of 2448	1340	f8b51e5454a4604f8e200064aa1e0578_JaffaCakes118.exe	29
PID 1340 wrote to memory of 2448	1340	f8b51e5454a4604f8e200064aa1e0578_JaffaCakes118.exe	29
PID 1340 wrote to memory of 2448	1340	f8b51e5454a4604f8e200064aa1e0578_JaffaCakes118.exe	29
PID 2448 wrote to memory of 2928	2448	winlogon.exe	30
PID 2448 wrote to memory of 2928	2448	winlogon.exe	30
PID 2448 wrote to memory of 2928	2448	winlogon.exe	30
PID 2448 wrote to memory of 2928	2448	winlogon.exe	30
PID 2448 wrote to memory of 532	2448	winlogon.exe	31
PID 2448 wrote to memory of 532	2448	winlogon.exe	31
PID 2448 wrote to memory of 532	2448	winlogon.exe	31
PID 2448 wrote to memory of 532	2448	winlogon.exe	31
PID 2928 wrote to memory of 1332	2928	AE 0124 BE.exe	32
PID 2928 wrote to memory of 1332	2928	AE 0124 BE.exe	32
PID 2928 wrote to memory of 1332	2928	AE 0124 BE.exe	32
PID 2928 wrote to memory of 1332	2928	AE 0124 BE.exe	32

C:\Users\Admin\AppData\Local\Temp\f8b51e5454a4604f8e200064aa1e0578_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8b51e5454a4604f8e200064aa1e0578_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1332
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:532

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.png

Filesize
21KB

MD5
0c6a49b7ad23260e0cd756f7d9175676

SHA1
515fa01d76f3dd41dbfff20b6708899c9a78b135

SHA256
114de7a8e463e7cb85fa8e41bf4e2bf6639748bc89ca6764a8d30a68fca1d156

SHA512
ebad4908ecacfb85b695f8ccadf446680f503eb007120b2831b540495235ca2c2f37f80f82fe84ce65b999e781f47bd901909187a459d73483cdb52708f2b39f

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
ecf80bbb606000bba905bbe8cc3c750a

SHA1
5c3b939bda398ae11c0f193dacad2e380869fece

SHA256
e606603f5e940e51edac8063a374e147dde365ae19af897bd9e3cd9c61283130

SHA512
af7ebb29c57b25735c5a616235e205852c8bccaf5c4326a1388196e82445ae17591ce821d01620e020ba54f515fe29c7eb4fd27c3853d00715916dca448bf15e

Download Submit
memory/1340-5-0x0000000002690000-0x0000000002692000-memory.dmp

Filesize
8KB

Download
memory/1340-13-0x0000000003220000-0x0000000003CDA000-memory.dmp

Filesize
10.7MB

Download
memory/2448-47-0x0000000002E50000-0x00000000030C8000-memory.dmp

Filesize
2.5MB

Download
memory/2552-6-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2552-12-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2552-85-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads