aab8eaff9af3ac90b28e4e613db329fb6817918ea046c3fe44349ef5a86d4296

General

Target

00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
Size

568KB
MD5

00d55a0adfb2ee1394ddb368be5c7d24
SHA1

42c1ae2858be19c3aaf58f1a5ceff090f092570c
SHA256

aab8eaff9af3ac90b28e4e613db329fb6817918ea046c3fe44349ef5a86d4296
SHA512

a11c51b17d0a6cad3974dd6f579b40700b2ace608c02cd7d35ab6509be5157ef00ccf46cf623291e93d40b2f91f7761eb79bd6cd8b234fa6da232e0e649badad
SSDEEP

6144:SEkNbZcQblOeRpBJ+CGGDKLe8Wiyq+MsbzWqqKUzq7Cm6oB3U6Mcd7yg2FQ6F:SEkNbZHbbz4kKdsbzWqVUzCgQdB2Sq

Score

10^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	svchost.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
320	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
672	svchost.exe
3536	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1312 set thread context of 4900	1312	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	81
PID 672 set thread context of 3536	672	svchost.exe	85

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1312	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
4900	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
672	svchost.exe
3536	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 4900	1312	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	81
PID 1312 wrote to memory of 4900	1312	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	81
PID 1312 wrote to memory of 4900	1312	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	81
PID 1312 wrote to memory of 4900	1312	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	81
PID 1312 wrote to memory of 4900	1312	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	81
PID 1312 wrote to memory of 4900	1312	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	81
PID 1312 wrote to memory of 4900	1312	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	81
PID 1312 wrote to memory of 4900	1312	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	81
PID 1312 wrote to memory of 4900	1312	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	81
PID 4900 wrote to memory of 320	4900	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	82
PID 4900 wrote to memory of 320	4900	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	82
PID 4900 wrote to memory of 320	4900	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	82
PID 4900 wrote to memory of 672	4900	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	83
PID 4900 wrote to memory of 672	4900	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	83
PID 4900 wrote to memory of 672	4900	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	83
PID 672 wrote to memory of 3536	672	svchost.exe	85
PID 672 wrote to memory of 3536	672	svchost.exe	85
PID 672 wrote to memory of 3536	672	svchost.exe	85
PID 672 wrote to memory of 3536	672	svchost.exe	85
PID 672 wrote to memory of 3536	672	svchost.exe	85
PID 672 wrote to memory of 3536	672	svchost.exe	85
PID 672 wrote to memory of 3536	672	svchost.exe	85
PID 672 wrote to memory of 3536	672	svchost.exe	85
PID 672 wrote to memory of 3536	672	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" CityScape Enable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:320
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    /d C:\Users\Admin\AppData\Local\Temp\00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
568KB

MD5
e409473c2c231c1cf0a5724736c2e344

SHA1
6fca90418420071f46a9bd4035a1d591439937c4

SHA256
52d62d8bab76a8cb853052d4e31f6dcd8c8d17c8a713e960fb970937ae965033

SHA512
688e4c21de78d50c11a54ddbf89058e770f0f74fc15a11ae2e446d19b42c77007ee8558460ff11fc58b8e01dde9aad66166df908c31989e9cf619b69ce4ab2c8

Download Submit
memory/3536-27-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3536-30-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3536-35-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3536-34-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3536-33-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3536-24-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3536-32-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3536-29-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3536-28-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3536-31-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3536-26-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4900-2-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4900-7-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4900-22-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4900-4-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4900-8-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads