34f59b4d0f20f13438558c06eeb4f614cb2b9b49c688bb49fc54987d7d31e25c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
Size

6.8MB
MD5

b84558b772a4a42990e47e40a338dbb3
SHA1

2413458fab95230bc629199a239683280ac04d92
SHA256

34f59b4d0f20f13438558c06eeb4f614cb2b9b49c688bb49fc54987d7d31e25c
SHA512

353787eaebf19389ef66fbe380f6ef7dfb211b2c3df3aa65ac8352e5bfea77f7c37f3f570b5f36833b285f2de1392e21b937e4e13c9d8f90d4b7404ff93e532d
SSDEEP

196608:A6q0HkQgN1DmfJLO03/Vnaiq2L8dET6WBse0aUCeVMRmLnPtT5hyI:A6jCKLO03ZFn846WBsnaiVMRYnFT3z

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sIRC4.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX5822.tmp	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\mip.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSE.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX5843.tmp	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3368	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
3368	b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe

C:\Users\Admin\AppData\Local\Temp\b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b84558b772a4a42990e47e40a338dbb3.jaffacakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\extcheck.exe

Filesize
5.9MB

MD5
276892c54dc4b1c3dbe2c0c635300250

SHA1
96c334e3642b5d4c1de00453b977057c0cc85c2c

SHA256
1e92f4587d7090778fe1f9feba713a29dbf5bc9c8d57263e904dc4de8a7fcb89

SHA512
68fa786d226125719f638f9be1ee4c08b312a431f6aaf92d3d8b88e6c8111a6f1085bae437fe9cdb3c93305f6aa36d8766a7c9c98a2cd166b4d062d046ce6a68

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
6.8MB

MD5
b45caf6db459ec6e896e2623011f2885

SHA1
aa2de2fdc8d66f33c9a69a7cc4444a986829a6e7

SHA256
2677e09ad2e00a9a46efd219246470cf6eb70b3c10a150c75b1a427b6fb6d1b1

SHA512
87b19cd85cfe3417df62b828b45e038d8dd4a5f232a01d9d00e8fa42c3186dc186a5ab728da6b5c1edbeff764e9b3a5ecc9de3fa677fcdce64b280064590618f

Download Submit
memory/3368-5-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/3368-11-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/3368-0-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/3368-4-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/3368-3-0x0000000000418000-0x0000000000767000-memory.dmp

Filesize
3.3MB

Download
memory/3368-2-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/3368-1-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/3368-6-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/3368-7-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/3368-21-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/3368-8-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/3368-99-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/3368-100-0x0000000000418000-0x0000000000767000-memory.dmp

Filesize
3.3MB

Download
memory/3368-101-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/3368-102-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download