3a9762d5e256412e1f3909d9c0a8138c1665b4c4d32268e204a93bd8b2618752

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27/04/2024, 01:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
Size

2.3MB
MD5

02182ea4459c221c6aba68d12c12d2ea
SHA1

fa96d0203c61306b473efa0969fcc0503e19b8ba
SHA256

3a9762d5e256412e1f3909d9c0a8138c1665b4c4d32268e204a93bd8b2618752
SHA512

93a72ecb3d1da529ab3717d15011cc0bd899ccdc4af30b65c72884e1b0b1612d76b1c7d58d2098c8b529308c9e7e62ada90ecf4bb0fc16256470649ebc238649
SSDEEP

49152:bla0FEjNGdXTpZma5RwmlvN0NKe6qsiKZdRt6ZN6L2DfR8Q4noInubOX1:7ilkmWvZeEMNHpenubOF

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX128B.tmp	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX122A.tmp	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX126A.tmp	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX12AB.tmp	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02182ea4459c221c6aba68d12c12d2ea_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCX126A.tmp

Filesize
62KB

MD5
b126345317624479f78fbf30b3a1fe5a

SHA1
655c966bf7bbf96ee49c83062d30b9dba17d693c

SHA256
8723d2d97d52f6d3b63968594c93bf2c5b5300b306c9670be4616cb134964301

SHA512
d0be6d608b5f4e482287d16e6587e00be1b4390f78efc3ce63008f99be7358e65f0eef9eba330d845462b64fa7a86cc3f1395b863ad0f8d01c0b790fc2f4c02d

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
2.3MB

MD5
b9b8e5890a324082a5bc8668b3431742

SHA1
895d6e866a0740bab19b6a858fe0c621f0072f45

SHA256
5739c9b9a810850ab39f5365fda21ae2a3e0601b9ca96fffa66ac955b45c73e6

SHA512
6a7f2986b96ddc8d98cf20423f7af97e1e769f89617d5caf19b9c41fc14c73a81d07c5e22a76d2d571eda2544b22c0d2c9b8e1fc87fe47b2bcb025544584a0e7

Download Submit
memory/2916-115-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2916-116-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2916-111-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2916-112-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2916-113-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2916-114-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2916-109-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2916-110-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2916-117-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2916-118-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2916-119-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2916-120-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2916-121-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2916-122-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2916-123-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads