ace9b7cf6d1ce131b35ec00618be8b5fb40524fa67b3d860f05b1ba51b5ddee9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00f045507bae5baa25370fe276373916_JaffaCakes118.exe
Size

717KB
MD5

00f045507bae5baa25370fe276373916
SHA1

7a5a548678ff6ac8caa4ec2bcbb1171047235723
SHA256

ace9b7cf6d1ce131b35ec00618be8b5fb40524fa67b3d860f05b1ba51b5ddee9
SHA512

aff5f732e82aa868bec693e36a69263eddda2d5f8ec358d7e37171e0731bce0cfe728c0af1b265bd196a4f423541198b4a356a0aa54ae5c0918f043d8b81f336
SSDEEP

12288:b1b9sSN/AO81I/RfXUAFXGApcX1tMa+fm7FvhVXU1O8ornq+ru1f0lTzg0KFGg1d:b1b9oLQHGApq70ErVXUZorHru1KHgDJf

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	00f045507bae5baa25370fe276373916_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX7177.tmp	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSE.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\createdump.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX7187.tmp	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX71C8.tmp	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX71A8.tmp	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\mip.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\createdump.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	00f045507bae5baa25370fe276373916_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\00f045507bae5baa25370fe276373916_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00f045507bae5baa25370fe276373916_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\jabswitch.exe

Filesize
63KB

MD5
6991d54db59052b736f31adefd1c7afc

SHA1
63b7f925c0d8d9dd33a69a11b74799a053739a42

SHA256
182c946ba270fff123b1f468baa66eb1e66505cd195f824ee45afe3cda672dcb

SHA512
fb838b84d70beeb6cb318c89a00844c06147ad5cf6e40b84e79a95f5da40bd501e858727a321d67bcbd07b018dcbfdc2ff72cf7dabd73c6b3acca44e269f9352

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
930KB

MD5
968462a328be67cebaf43c03b825d59c

SHA1
f64ae10991f8b74127879bbd895fde342276db00

SHA256
6910c439ba2880b34736c0b386e98d7ffd89071e5ec74d77bd17bc12a451b7ef

SHA512
45cd1ec3597f41e201ff710a65f8fab536411b351133ff064722b68f6692f591b8a33bb59d6dadcbea915a0ca72d402fab81ef2cfe87aef20817b993572bdd94

Download Submit
memory/1664-45-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1664-101-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1664-102-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1664-103-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1664-104-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1664-105-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1664-106-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1664-107-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1664-108-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1664-109-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads