2b8ff82de61c556efd75ffbe82f436022d2abc62b6b35e5bc078a937d025b50c

General

Target

03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
Size

848KB
MD5

03c8634d24f2dd97578b9df2dadcf3ea
SHA1

829781c9167b0fff532cdbe822fc065bf4bf5825
SHA256

2b8ff82de61c556efd75ffbe82f436022d2abc62b6b35e5bc078a937d025b50c
SHA512

874d7fd99f7228d40727f5c49e8c3f3c7018f21fb93cbdc33ff890a5125138e67c5a9c163cca47143fa06a3e3b5e40c8bab282c427df84f91f8a797921521ac5
SSDEEP

24576:J1bcny3Md9nUja2NzRWjoPnYmiYTv+SLBpO:J13Md6NMj+6te6

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX6441.tmp	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExitSwitch.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX6461.tmp	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX6440.tmp	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1996

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCX6441.tmp
Filesize
62KB

MD5
b126345317624479f78fbf30b3a1fe5a

SHA1
655c966bf7bbf96ee49c83062d30b9dba17d693c

SHA256
8723d2d97d52f6d3b63968594c93bf2c5b5300b306c9670be4616cb134964301

SHA512
d0be6d608b5f4e482287d16e6587e00be1b4390f78efc3ce63008f99be7358e65f0eef9eba330d845462b64fa7a86cc3f1395b863ad0f8d01c0b790fc2f4c02d

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe
Filesize
882KB

MD5
5a8237085cea4fac13820152605c11fc

SHA1
ac7281f84ceb570065ce412924627c2acca8819a

SHA256
56e4cb912d0980fcc371fe375e5b7ef9c4aa30d09199fea489a1c95332155efe

SHA512
5ae04957bfe49a931e1dc176c0a1f7e5c668d460e91ad93e068a15542ef97c4dab7df31c22c8d591bdb6c4b63ca6adec12dd9de81ca954fe3bf6fb829a06d9db

Download Submit
memory/1996-115-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1996-116-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1996-111-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1996-112-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1996-113-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1996-114-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1996-38-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1996-110-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1996-117-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1996-118-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1996-119-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1996-120-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1996-121-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1996-122-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads