bcd053711d20c9abbc48d0b2146f70124ce63f71310b6997acfcc0aa0543d404

General

Target

03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
Size

2.2MB
MD5

03beac3afcc5a9b76c61b379117ab4c8
SHA1

b73baee44f126066414e867ed9e755649b8d0381
SHA256

bcd053711d20c9abbc48d0b2146f70124ce63f71310b6997acfcc0aa0543d404
SHA512

808af708c03ad94e94325a3df51db056238e956599595e91d3ccca094314d5a5e067ad8f28331ac42ec21b7ec6392aeb5f46e70295cd3d3fe30a5a890647e39d
SSDEEP

49152:9WAMXZZaYGPeVALqx95dXLrnURAwrcD6BvvTxLKyc2A7u3Idr9x7EY:aX2YA2Aw9LbrnWFg+BvLtKLuYdr9H

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX86FE.tmp	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX871E.tmp	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX873E.tmp	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX875E.tmp	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSE.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03beac3afcc5a9b76c61b379117ab4c8_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2932

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\jabswitch.exe
Filesize
78KB

MD5
3680a2aee0defc1df6b6c113b53ca0e9

SHA1
d584e7a7cd317c7c374c470ba4b4dd30df711d13

SHA256
c97d47eed32ad57ffdafe3a2844144c5356d3d7ac7ee1357ba9fc7282f3a917b

SHA512
fda7fc98456de7ce186d14cdbe951ba2f9499d9495db56dae2dc9b78d32dcfdaa3eb4de5b3747287bfce2d3069e30e1dd28809b938b1dc83c22e69c23c6fcb0f

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe
Filesize
2.2MB

MD5
0c794299c5aadc0725aa92013b708b1d

SHA1
27c0267aa27844e60708bb1eae0dda82dcb64985

SHA256
4fe90181c2be21bc2380b1389fea9f27468da2bb166e135f050562e9d22c5d26

SHA512
ec39febed043ab0baa6cda9091fa61be93afa7125fc28c38d6d7dc6c8f1b64bae876867531c7a906ca4be5a5e995dab338571eb00828ac21c4fc66b619cabb68

Download Submit
memory/2932-47-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2932-19-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2932-22-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2932-23-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2932-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2932-27-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2932-20-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2932-21-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2932-104-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2932-105-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2932-106-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2932-107-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2932-108-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2932-109-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads