0182f2e29965d54c5aea14679765c19ef2397e42ac2464b113bc9c6da89f618f

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

926c5694a1bceffc43896b4a4009e457_JaffaCakes118.exe
Size

355KB
MD5

926c5694a1bceffc43896b4a4009e457
SHA1

b821d0ca3caf0a8d2de114da0faab772b22e0efe
SHA256

0182f2e29965d54c5aea14679765c19ef2397e42ac2464b113bc9c6da89f618f
SHA512

3ec7fb2c12d5010cd514ed54eaecaba16f31e279e508af71e3dc7c0cf2161e34a7df6b4ad2fe7c931f6841712515b92757189ac6029ffefef54d3cbb12811791
SSDEEP

6144:J3EmWPDNND9yRPzLq+YXFqaZiMLic9kzVd7EAC4TSs9EiS:emWhND9yJz+b1FcMLmp2ATTSsdS

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1344	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1920	926c5694a1bceffc43896b4a4009e457_JaffaCakes118.exe
1920	926c5694a1bceffc43896b4a4009e457_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d83fcad7 = "Jƒ`Ö\x05o,cfÒøpô\t€}\u009dê”\rßß\x16ô\x06:p¯añ§Ü=±€8õ¡\a©œ½Ñ‘\u0081\u00ad\x01ÑÑêAÀ4¬\x1f‡Ä\|H0<W9Ùg9Y‰Ü‘ŒçÜœâJÜê ä\\âê7”%\x14Y\x19xÊ\\=øq\f!9\x01y¡¼B$ð\x02ìš\x1c\x1dOt¹ùI¡¼¯ù)á\x02:\x02\\åü™ÔŒ¥\f'ñùD\x1c\x01yTA9YœÊ\x0fAP¸ñ\\É\t\x15y4œ]\|B\x02=ˆ¨”aAœÁ×H:a\x12/„ŒÄ™T'\bbÁUýxÙ(\be©\x1c\x14Úùâ¡Úº\u008f\u0081]üÒ,AÌ\b`ÒÚò\t¹¤AåÏ‰Âïßå¤º´Ñš¨Qz™láÊŠù¸Xé•Ç½Ç2-Í7ÐLD\|Ÿˆq”XÁÄ"	926c5694a1bceffc43896b4a4009e457_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d83fcad7 = "Jƒ`Ö\x05o,cfÒøpô\t€}\u009dê”\rßß\x16ô\x06:p¯añ§Ü=±€8õ¡\a©œ½Ñ‘\u0081\u00ad\x01ÑÑêAÀ4¬\x1f‡Ä\|H0<W9Ùg9Y‰Ü‘ŒçÜœâJÜê ä\\âê7”%\x14Y\x19xÊ\\=øq\f!9\x01y¡¼B$ð\x02ìš\x1c\x1dOt¹ùI¡¼¯ù)á\x02:\x02\\åü™ÔŒ¥\f'ñùD\x1c\x01yTA9YœÊ\x0fAP¸ñ\\É\t\x15y4œ]\|B\x02=ˆ¨”aAœÁ×H:a\x12/„ŒÄ™T'\bbÁUýxÙ(\be©\x1c\x14Úùâ¡Úº\u008f\u0081]üÒ,AÌ\b`ÒÚò\t¹¤AåÏ‰Âïßå¤º´Ñš¨Qz™láÊŠù¸Xé•Ç½Ç2-Í7ÐLD\|Ÿˆq”XÁÄ"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\apppatch\svchost.exe	926c5694a1bceffc43896b4a4009e457_JaffaCakes118.exe
File created	C:\Windows\apppatch\svchost.exe	926c5694a1bceffc43896b4a4009e457_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1920	926c5694a1bceffc43896b4a4009e457_JaffaCakes118.exe
1920	926c5694a1bceffc43896b4a4009e457_JaffaCakes118.exe
1920	926c5694a1bceffc43896b4a4009e457_JaffaCakes118.exe
1920	926c5694a1bceffc43896b4a4009e457_JaffaCakes118.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1920	926c5694a1bceffc43896b4a4009e457_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 1344	1920	926c5694a1bceffc43896b4a4009e457_JaffaCakes118.exe	28
PID 1920 wrote to memory of 1344	1920	926c5694a1bceffc43896b4a4009e457_JaffaCakes118.exe	28
PID 1920 wrote to memory of 1344	1920	926c5694a1bceffc43896b4a4009e457_JaffaCakes118.exe	28
PID 1920 wrote to memory of 1344	1920	926c5694a1bceffc43896b4a4009e457_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\926c5694a1bceffc43896b4a4009e457_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\926c5694a1bceffc43896b4a4009e457_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b13c0a4dad7805d67a3e4639d7a1c521

SHA1
7c545c1e63ef65dfffb29a48553dac70a4589350

SHA256
2469b47476246f7d93f05795ca647ec1896128333dddde4a84df413ea95da7c7

SHA512
c268f7d4d3e92ab6e3317a240f8a66b0a66c64822df9ace8f7039eed16b541f27fb24653724540167e1acb84609fc40f66827bf05515dedd33cb735326eb7b32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82ef318e2e5c3780999e42b587cb78d5

SHA1
51c20cb196ecccbb8a3944bc6c47fec8490ba421

SHA256
764fae6abfedbb16376a1f9cf2c549bb42d95a1edfca82948fc53c3ddcbcc3f1

SHA512
7e2e0db92fbd7a0796480ffe636c931c99c12abc448ab13a45e9c86b7599098a23a9acfc0a562f0585176611ac1e5660175e10571375560707f5ae1ed7a3c023

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b689668979d32d7af2af987effda8a96

SHA1
924725b4411d28c5dd5c801c2ff99ab6fedfb41d

SHA256
824e1b19a8dbd7657315629fc93edc138d003b8057434090e5e27597cec35b9a

SHA512
d2706a94888e9250a8776607f9ea081eef36f15d4b821a5dcce153cb9556e9384270e5b671a5d95f56aa0bdf2429175043d4ba42258c2460cac6b4083e416629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GIH0QLJU\login[1].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Users\Admin\AppData\Local\Temp\739D.tmp

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0B6.tmp

Filesize
42KB

MD5
c41edcaf9b060628a50e33ca8b4762bd

SHA1
c50d8b9ff44035ccdcb6fd3fd53e360ff9612d8f

SHA256
637c7b3f0868d1c851f29b501baa6610f29ad7832b98beac91b680676ad29ae3

SHA512
4430409ee9a47a311e645d9d8ec74a9a48299b26f9244fe6d39643331189e87b8ea0f68a1f3ae9b186f0261f1f40a9b7bc0f0b672964ef2f0f9b750977f42063

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0B8.tmp

Filesize
23KB

MD5
ef835a7b46f525d0ddd194a01145df98

SHA1
edad9d1d23bfb0eed6f7ec0d67bac6e807452d51

SHA256
85d11eb6e5536c4ba9ae45ff7f02e496c6d44fc28a42f52a6e16cb210b474eb9

SHA512
51636d7509412707507f1b740c86df6add7a41e25e8ed8bc226a85adfc2f51157bb204731f3fa57413af6ce95c3b45afc6e631193ec72161edf71af2397a249b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB3DB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
355KB

MD5
23ec518142eccdbaf346b4ba7fde1327

SHA1
683ad213506f56ea0ce4e6b31aa2c7d6273bc5ef

SHA256
57428733fb5837f1b57598d843ffabfe18578f909a8622016643af9e7cba8094

SHA512
f6073620490b91b5b101fb5dd1dbab936773ee43f1735263c4a58598ee20aa6cb9c61786ff878c857ac1ef9e061b2af72dde9d1e462f36178398d18c55edd2a6

Download Submit
memory/1344-58-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-51-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-28-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-36-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-49-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-77-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-76-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-75-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-74-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-73-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-72-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-71-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-70-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-69-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-68-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-66-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-65-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-64-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-63-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-62-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-61-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-60-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-59-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-25-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-57-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-56-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-54-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-53-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-52-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-29-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-50-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-48-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-47-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-46-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-45-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-44-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-43-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-42-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-41-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-67-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-40-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-39-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-38-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-55-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-37-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-35-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-31-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-34-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-14-0x0000000000290000-0x0000000000338000-memory.dmp

Filesize
672KB

Download
memory/1344-16-0x0000000000290000-0x0000000000338000-memory.dmp

Filesize
672KB

Download
memory/1344-18-0x0000000000290000-0x0000000000338000-memory.dmp

Filesize
672KB

Download
memory/1344-20-0x0000000000290000-0x0000000000338000-memory.dmp

Filesize
672KB

Download
memory/1344-24-0x0000000000290000-0x0000000000338000-memory.dmp

Filesize
672KB

Download
memory/1344-23-0x0000000000290000-0x0000000000338000-memory.dmp

Filesize
672KB

Download
memory/1344-33-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-32-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1344-215-0x0000000002390000-0x0000000002446000-memory.dmp

Filesize
728KB

Download
memory/1920-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download