1a2079f29f4de929d34127d64e682db7ea6bfdb7b55831dd4be511a024d6e237

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe
Size

312KB
MD5

79b891f80896a36e29cb4ed8599cacf6
SHA1

2b238ea58a1c54ab4d8531a9b1e6c3c56e554f7b
SHA256

1a2079f29f4de929d34127d64e682db7ea6bfdb7b55831dd4be511a024d6e237
SHA512

baf68e46948abb51e59fc1867e20398b9617729a60b02883301898c5344130f107676471bf03d1e63cf0050e03d8401ae632f4500d87a15588501245692c0236
SSDEEP

6144:Qdr14UChnrsy/Ay4aUi8YRBfkvtmFW/OZM9+1+gWQbHyuG9peWx5Xyy7XcW3bROJ:OyUChnrsy/Ay4aUi8YRVkvtmFW/OZM9m

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe"	nacl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe"	h2s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe"	lsass.exe

Disables RegEdit via registry modification 3 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nacl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	h2s.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	lsass.exe
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	nacl.exe

Executes dropped EXE 6 IoCs

pid	Process
2988	h2s.exe
2576	lsass.exe
1092	h2s.exe
2412	lsass.exe
1304	nacl.exe
2520	lsass.exe

Loads dropped DLL 5 IoCs

pid	Process
3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe
3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe
3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe
3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe
2988	h2s.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\nacl.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\nacl.exe"	nacl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\nacl.exe"	h2s.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\WINDOWS\system\lsass.exe	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe
File created	C:\WINDOWS\nacl.exe	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\nacl.exe	h2s.exe
File opened for modification	C:\WINDOWS\system\lsass.exe	h2s.exe
File created	C:\WINDOWS\userinit.exe	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe
File created	C:\WINDOWS\h2s.exe	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\system\lsass.exe	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\nacl.exe	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe
File created	C:\WINDOWS\nacl.exe	h2s.exe
File created	C:\WINDOWS\system\lsass.exe	h2s.exe
File opened for modification	C:\WINDOWS\userinit.exe	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\h2s.exe	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000005558af70100041646d696e00380008000400efbe5558e86b5558af702a00000028000000000004000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a00310000000000bb58b382102054656d700000360008000400efbe5558e86bbb58b3822a000000f8010000000002000000000000000000000000000000540065006d007000000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = a200310000000000bb58b38210203739423839317e3100008a0008000400efbebb58b382bb58b3822a0000007f560100000008000000000000000000000000000000370039006200380039003100660038003000380039003600610033003600650032003900630062003400650064003800350039003900630061006300660036005f004a006100660066006100430061006b0065007300310031003800000018000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c003100000000005558386d10204c6f63616c00380008000400efbe5558e86b5558386d2a000000f70100000000020000000000000000000000000000004c006f00630061006c00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7400310000000000bb58b3821100557365727300600008000400efbeee3a851abb58b3822a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000005558e86b122041707044617461003c0008000400efbe5558e86b5558e86b2a000000350000000000030000000000000000000000000000004100700070004400610074006100000016000000	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2988	h2s.exe
2576	lsass.exe
1092	h2s.exe
2412	lsass.exe
2988	h2s.exe
1304	nacl.exe
2576	lsass.exe
2520	lsass.exe
1304	nacl.exe
2576	lsass.exe
2988	h2s.exe
1304	nacl.exe
2576	lsass.exe
2988	h2s.exe
1304	nacl.exe
2576	lsass.exe
2988	h2s.exe
2576	lsass.exe
1304	nacl.exe
2988	h2s.exe
2576	lsass.exe
2988	h2s.exe
1304	nacl.exe
2576	lsass.exe
2988	h2s.exe
1304	nacl.exe
2576	lsass.exe
2988	h2s.exe
1304	nacl.exe
2576	lsass.exe
2988	h2s.exe
1304	nacl.exe
2576	lsass.exe
2988	h2s.exe
1304	nacl.exe
2576	lsass.exe
2988	h2s.exe
1304	nacl.exe
2576	lsass.exe
1304	nacl.exe
2988	h2s.exe
2576	lsass.exe
1304	nacl.exe
2988	h2s.exe
2576	lsass.exe
1304	nacl.exe
2988	h2s.exe
2576	lsass.exe
1304	nacl.exe
2988	h2s.exe
2576	lsass.exe
2988	h2s.exe
1304	nacl.exe
2576	lsass.exe
2988	h2s.exe
1304	nacl.exe
2576	lsass.exe
2988	h2s.exe
1304	nacl.exe
2576	lsass.exe
2988	h2s.exe
1304	nacl.exe
2576	lsass.exe
2988	h2s.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe
3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe
2988	h2s.exe
2988	h2s.exe
2576	lsass.exe
2576	lsass.exe
1092	h2s.exe
1092	h2s.exe
2412	lsass.exe
2412	lsass.exe
1304	nacl.exe
1304	nacl.exe
2520	lsass.exe
2520	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2388	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2388	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2388	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2388	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2988	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	30
PID 3000 wrote to memory of 2988	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	30
PID 3000 wrote to memory of 2988	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	30
PID 3000 wrote to memory of 2988	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2640	2988	h2s.exe	31
PID 2988 wrote to memory of 2640	2988	h2s.exe	31
PID 2988 wrote to memory of 2640	2988	h2s.exe	31
PID 2988 wrote to memory of 2640	2988	h2s.exe	31
PID 2388 wrote to memory of 2652	2388	cmd.exe	32
PID 2388 wrote to memory of 2652	2388	cmd.exe	32
PID 2388 wrote to memory of 2652	2388	cmd.exe	32
PID 2388 wrote to memory of 2652	2388	cmd.exe	32
PID 3000 wrote to memory of 2576	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	34
PID 3000 wrote to memory of 2576	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	34
PID 3000 wrote to memory of 2576	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	34
PID 3000 wrote to memory of 2576	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	34
PID 2640 wrote to memory of 2836	2640	cmd.exe	35
PID 2640 wrote to memory of 2836	2640	cmd.exe	35
PID 2640 wrote to memory of 2836	2640	cmd.exe	35
PID 2640 wrote to memory of 2836	2640	cmd.exe	35
PID 2576 wrote to memory of 2452	2576	lsass.exe	36
PID 2576 wrote to memory of 2452	2576	lsass.exe	36
PID 2576 wrote to memory of 2452	2576	lsass.exe	36
PID 2576 wrote to memory of 2452	2576	lsass.exe	36
PID 2652 wrote to memory of 2704	2652	net.exe	37
PID 2652 wrote to memory of 2704	2652	net.exe	37
PID 2652 wrote to memory of 2704	2652	net.exe	37
PID 2652 wrote to memory of 2704	2652	net.exe	37
PID 2836 wrote to memory of 2312	2836	net.exe	39
PID 2836 wrote to memory of 2312	2836	net.exe	39
PID 2836 wrote to memory of 2312	2836	net.exe	39
PID 2836 wrote to memory of 2312	2836	net.exe	39
PID 2452 wrote to memory of 2588	2452	cmd.exe	40
PID 2452 wrote to memory of 2588	2452	cmd.exe	40
PID 2452 wrote to memory of 2588	2452	cmd.exe	40
PID 2452 wrote to memory of 2588	2452	cmd.exe	40
PID 2588 wrote to memory of 876	2588	net.exe	41
PID 2588 wrote to memory of 876	2588	net.exe	41
PID 2588 wrote to memory of 876	2588	net.exe	41
PID 2588 wrote to memory of 876	2588	net.exe	41
PID 3000 wrote to memory of 2624	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	43
PID 3000 wrote to memory of 2624	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	43
PID 3000 wrote to memory of 2624	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	43
PID 3000 wrote to memory of 2624	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	43
PID 3000 wrote to memory of 1092	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	45
PID 3000 wrote to memory of 1092	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	45
PID 3000 wrote to memory of 1092	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	45
PID 3000 wrote to memory of 1092	3000	79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe	45
PID 1092 wrote to memory of 2924	1092	h2s.exe	46
PID 1092 wrote to memory of 2924	1092	h2s.exe	46
PID 1092 wrote to memory of 2924	1092	h2s.exe	46
PID 1092 wrote to memory of 2924	1092	h2s.exe	46
PID 2924 wrote to memory of 2920	2924	cmd.exe	48
PID 2924 wrote to memory of 2920	2924	cmd.exe	48
PID 2924 wrote to memory of 2920	2924	cmd.exe	48
PID 2924 wrote to memory of 2920	2924	cmd.exe	48
PID 2920 wrote to memory of 1376	2920	net.exe	49
PID 2920 wrote to memory of 1376	2920	net.exe	49
PID 2920 wrote to memory of 1376	2920	net.exe	49
PID 2920 wrote to memory of 1376	2920	net.exe	49

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	h2s.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0"	h2s.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	nacl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	h2s.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	nacl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0"	nacl.exe

C:\Users\Admin\AppData\Local\Temp\79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\net.exe
    net share "phim_hai_hay=C:\Documents and Settings\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"
      4⤵
      PID:2704
- C:\WINDOWS\h2s.exe
  C:\WINDOWS\h2s.exe
  2⤵
  - Modifies WinLogon for persistence
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\net.exe
      net share "phim_hai_hay=C:\Documents and Settings\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"
        5⤵
        
        PID:2312
- - C:\WINDOWS\nacl.exe
    C:\WINDOWS\nacl.exe
    3⤵
    - Modifies WinLogon for persistence
    - Disables RegEdit via registry modification
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1304
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
      4⤵
      PID:2300
- - C:\WINDOWS\system\lsass.exe
    C:\WINDOWS\system\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2520
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
      4⤵
      PID:2112
- C:\WINDOWS\system\lsass.exe
  C:\WINDOWS\system\lsass.exe
  2⤵
  - Modifies WinLogon for persistence
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\SysWOW64\net.exe
      net share "phim_hai_hay=C:\Documents and Settings\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"
        5⤵
        
        PID:876
- C:\Windows\SysWOW64\explorer.exe
  explorer 79b891f80896a36e29cb4ed8599cacf6_JaffaCakes118
  2⤵
  PID:2624
- C:\WINDOWS\h2s.exe
  C:\WINDOWS\h2s.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\net.exe
      net share "phim_hai_hay=C:\Documents and Settings\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"
        5⤵
        
        PID:1376
- C:\WINDOWS\system\lsass.exe
  C:\WINDOWS\system\lsass.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
    3⤵
    PID:2232
  - - C:\Windows\SysWOW64\net.exe
      net share "phim_hai_hay=C:\Documents and Settings\Temp"
      4⤵
      PID:2676
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"
        5⤵
        
        PID:288

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\system32\drivers\etc\hosts

Filesize
578B

MD5
4cedd41692993cf5a0a40baeb724b871

SHA1
fc1eeb1d88966ea4a816bcbdab320830b6f70261

SHA256
fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

SHA512
e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

Download Submit
C:\Windows\system\lsass.exe

Filesize
312KB

MD5
79b891f80896a36e29cb4ed8599cacf6

SHA1
2b238ea58a1c54ab4d8531a9b1e6c3c56e554f7b

SHA256
1a2079f29f4de929d34127d64e682db7ea6bfdb7b55831dd4be511a024d6e237

SHA512
baf68e46948abb51e59fc1867e20398b9617729a60b02883301898c5344130f107676471bf03d1e63cf0050e03d8401ae632f4500d87a15588501245692c0236

Download Submit
memory/1644-67-0x0000000003D10000-0x0000000003D20000-memory.dmp

Filesize
64KB

Download
memory/3000-0-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download