34f59b4d0f20f13438558c06eeb4f614cb2b9b49c688bb49fc54987d7d31e25c

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
Size

6.8MB
MD5

b84558b772a4a42990e47e40a338dbb3
SHA1

2413458fab95230bc629199a239683280ac04d92
SHA256

34f59b4d0f20f13438558c06eeb4f614cb2b9b49c688bb49fc54987d7d31e25c
SHA512

353787eaebf19389ef66fbe380f6ef7dfb211b2c3df3aa65ac8352e5bfea77f7c37f3f570b5f36833b285f2de1392e21b937e4e13c9d8f90d4b7404ff93e532d
SSDEEP

196608:A6q0HkQgN1DmfJLO03/Vnaiq2L8dET6WBse0aUCeVMRmLnPtT5hyI:A6jCKLO03ZFn846WBsnaiVMRYnFT3z

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaws.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX168D.tmp	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX1788.tmp	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX1884.tmp	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2868	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe

C:\Users\Admin\AppData\Local\Temp\b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCX1788.tmp

Filesize
5.9MB

MD5
a61c85585b0ba98de35d78f2cb346ee1

SHA1
dd48c5d0cff01ae3a4a0fa153b279bbf9852d3f6

SHA256
8a4514df1106315cbcc2937f48b467280e87179317ea617debb4b1df3f26a5bb

SHA512
f0ee41a5cf1af67f3ec5ad02bde9cb030759e4c7a2eb562a1e7ce7f1353b210091973936caa15eb9813933227191f3cf4f06e369fab822f108b92fd7740d9c9c

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
6.8MB

MD5
a52356f496ef5e2dc965447555886072

SHA1
9d954db7a7750144926fd5e0aa2fee0a266e7fd6

SHA256
60eef7eb3548619f1f725d29d84124a758953636e24fffaa2193e24d494c1275

SHA512
ac69972897f0c48181dce3868054cbfea442fe0c50700e3ab49209d78a60359aa00519a4bb83581d3a7da298e13ec5ebafe85a9ee0f38ca450675543363e370f

Download Submit
memory/2868-15-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2868-148-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2868-48-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2868-47-0x0000000000418000-0x0000000000767000-memory.dmp

Filesize
3.3MB

Download
memory/2868-36-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2868-33-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2868-30-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2868-28-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2868-25-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2868-23-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2868-20-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2868-11-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2868-35-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2868-0-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2868-18-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2868-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2868-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2868-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2868-5-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2868-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2868-49-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2868-50-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2868-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2868-146-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2868-13-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2868-147-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2868-149-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download