2b8ff82de61c556efd75ffbe82f436022d2abc62b6b35e5bc078a937d025b50c

General

Target

03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
Size

848KB
MD5

03c8634d24f2dd97578b9df2dadcf3ea
SHA1

829781c9167b0fff532cdbe822fc065bf4bf5825
SHA256

2b8ff82de61c556efd75ffbe82f436022d2abc62b6b35e5bc078a937d025b50c
SHA512

874d7fd99f7228d40727f5c49e8c3f3c7018f21fb93cbdc33ff890a5125138e67c5a9c163cca47143fa06a3e3b5e40c8bab282c427df84f91f8a797921521ac5
SSDEEP

24576:J1bcny3Md9nUja2NzRWjoPnYmiYTv+SLBpO:J13Md6NMj+6te6

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSE.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX6717.tmp	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX6707.tmp	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\createdump.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03c8634d24f2dd97578b9df2dadcf3ea_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\jabswitch.exe
Filesize
63KB

MD5
f7faaa551cdc1f055ee0392dfae114e7

SHA1
4368d3cc7f860462a6f81e59071cf95ccf9c8440

SHA256
86a09ff830d7b6d6ecca090525b2e500592fdf2ef9abf995aaf692b3a648ee4d

SHA512
9c6ffbe45093295f3df184273b59ef5e5a19f1537326d558db227262ad6f00c6516659614c1cc69772b0e54b66d4f3a6d74cd89e2d12da116ed01eccb7701d0a

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe
Filesize
930KB

MD5
c7cdb5eba9eed5e1a5fe4008e589b961

SHA1
78de544a875dd9e0a561abb447d479b0cd7822af

SHA256
280fe99f935710172f63ad37b9c561c6a440ac06926d525691e6ab1209e67876

SHA512
4e05b178942b0429c7bbad153fc057ad8a37e4714e40d9eed2162adc5427026ba3040bb392dc3dda62f260cfb9124725cd9f5fa6e09d857b4bace25579d36b18

Download Submit
memory/1472-94-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1472-91-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1472-92-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1472-93-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1472-41-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1472-95-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1472-96-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1472-97-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1472-98-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1472-99-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1472-100-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads