8d0fe7b6bc65421fd571b6c51f0583797a6869ed986dec80ad5e3e36fd5c3e67

General

Target

01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
Size

526KB
MD5

01fdde381103ebe03403d256f7af6376
SHA1

12f9ddfe2489e6f43da3064e5024d9df726b9405
SHA256

8d0fe7b6bc65421fd571b6c51f0583797a6869ed986dec80ad5e3e36fd5c3e67
SHA512

45bbc5042cd371715d77674ee5101b1c24cb0924e4af8d513e21f6a800a4f4b75b2ed20a2b068d1b184403091949a7d0bcc5b9ac2bbe34bf79972305d79b8310
SSDEEP

12288:91bOkk5kYHYnZw00x5y3T1dsV7okjlY4kCu7:91bOkk5hYnjlT1goYljkV

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX64B1.tmp	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX64A1.tmp	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX645F.tmp	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX643F.tmp	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX6460.tmp	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01fdde381103ebe03403d256f7af6376_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1728

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCX645F.tmp
Filesize
62KB

MD5
b126345317624479f78fbf30b3a1fe5a

SHA1
655c966bf7bbf96ee49c83062d30b9dba17d693c

SHA256
8723d2d97d52f6d3b63968594c93bf2c5b5300b306c9670be4616cb134964301

SHA512
d0be6d608b5f4e482287d16e6587e00be1b4390f78efc3ce63008f99be7358e65f0eef9eba330d845462b64fa7a86cc3f1395b863ad0f8d01c0b790fc2f4c02d

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe
Filesize
526KB

MD5
01fdde381103ebe03403d256f7af6376

SHA1
12f9ddfe2489e6f43da3064e5024d9df726b9405

SHA256
8d0fe7b6bc65421fd571b6c51f0583797a6869ed986dec80ad5e3e36fd5c3e67

SHA512
45bbc5042cd371715d77674ee5101b1c24cb0924e4af8d513e21f6a800a4f4b75b2ed20a2b068d1b184403091949a7d0bcc5b9ac2bbe34bf79972305d79b8310

Download Submit
memory/1728-117-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1728-118-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1728-113-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1728-114-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1728-115-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1728-116-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1728-34-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1728-112-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1728-119-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1728-120-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1728-121-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1728-122-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1728-123-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1728-124-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads