bcd053711d20c9abbc48d0b2146f70124ce63f71310b6997acfcc0aa0543d404

General

Target

03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
Size

2.2MB
MD5

03beac3afcc5a9b76c61b379117ab4c8
SHA1

b73baee44f126066414e867ed9e755649b8d0381
SHA256

bcd053711d20c9abbc48d0b2146f70124ce63f71310b6997acfcc0aa0543d404
SHA512

808af708c03ad94e94325a3df51db056238e956599595e91d3ccca094314d5a5e067ad8f28331ac42ec21b7ec6392aeb5f46e70295cd3d3fe30a5a890647e39d
SSDEEP

49152:9WAMXZZaYGPeVALqx95dXLrnURAwrcD6BvvTxLKyc2A7u3Idr9x7EY:aX2YA2Aw9LbrnWFg+BvLtKLuYdr9H

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX1F73.tmp	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\DebugUnprotect.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX1F53.tmp	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX1F94.tmp	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX1F95.tmp	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2240

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCX1F94.tmp
Filesize
62KB

MD5
b126345317624479f78fbf30b3a1fe5a

SHA1
655c966bf7bbf96ee49c83062d30b9dba17d693c

SHA256
8723d2d97d52f6d3b63968594c93bf2c5b5300b306c9670be4616cb134964301

SHA512
d0be6d608b5f4e482287d16e6587e00be1b4390f78efc3ce63008f99be7358e65f0eef9eba330d845462b64fa7a86cc3f1395b863ad0f8d01c0b790fc2f4c02d

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe
Filesize
2.2MB

MD5
df0b0a123d9d48a79c7a68d0532cd1ca

SHA1
810b91244ee37fd2a8e92e3416b43e4192dbdb7c

SHA256
e634c84c7b6870ce004c82b334f0ee2f7e2dcf24ac35202e33ac51399aabbcc0

SHA512
49b8f08645dd5875d8c66675b41fe0ba561396a2a2e0242777d09ff3f245525442ba79e9b9ad882567acb24a5d594065446348c15a5e40ed03dc6f1981982c0e

Download Submit
memory/2240-122-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2240-123-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2240-118-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2240-119-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2240-120-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2240-121-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2240-116-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2240-117-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2240-124-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2240-125-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2240-126-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2240-127-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2240-128-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2240-129-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads