fb6c102d3228e4368236d02fa6d6ea8710e507668bc54b235ae93faea70cee88

General

Target

00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
Size

27KB
MD5

00b4a2f1daf18bd2235f05d89fc2d4b1
SHA1

de9c48ec5fe55153135fb58bc842734d40241219
SHA256

fb6c102d3228e4368236d02fa6d6ea8710e507668bc54b235ae93faea70cee88
SHA512

63e7fcfedeec537b1e0554422ecc2682a5b335bd64e4bcc84b345f63c0820f95e0190918b8ecc0c45be2177329cdaa417efbf035d7a97b59ed672310e05ba0d3
SSDEEP

192:wSuKabvUcbIkxb0QCuA5Prq+82LnPPFPDFiJEDnZv+Zq+7soQ0lBIPdtg8eHfG6c:bWMMj8PrL82rPP9DFpsQsBIDufjXBu9

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ctfmon = "C:\\Windows\\ctfmon.exe"	inetinfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	inetinfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	inetinfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ctfmon = "C:\\Windows\\ctfmon.exe"	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ctfmon = "C:\\Windows\\ctfmon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inetinfo = "C:\\Windows\\inetinfo.exe"	inetinfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ctfmon = "C:\\Windows\\ctfmon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inetinfo = "C:\\Windows\\inetinfo.exe"	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	inetinfo.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ctfmon = "C:\\Windows\\ctfmon.exe"	inetinfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inetinfo = "C:\\Windows\\inetinfo.exe"	inetinfo.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inetinfo = "C:\\Windows\\inetinfo.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	inetinfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inetinfo = "C:\\Windows\\inetinfo.exe"	winlogon.exe

Drops file in Drivers directory 10 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\networks.exe	winlogon.exe
File created	C:\Windows\system32\drivers\etc\networks.exe	inetinfo.exe
File created	C:\Windows\system32\drivers\etc\networks.exe	winlogon.exe
File opened for modification	C:\Windows\system32\drivers\etc\networks.exe	winlogon.exe
File created	C:\Windows\system32\drivers\etc\networks.exe	inetinfo.exe
File opened for modification	C:\Windows\system32\drivers\etc\networks.exe	inetinfo.exe
File created	C:\Windows\system32\drivers\etc\networks.exe	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\networks.exe	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\networks.exe	winlogon.exe
File opened for modification	C:\Windows\system32\drivers\etc\networks.exe	inetinfo.exe

Executes dropped EXE 4 IoCs

pid	Process
2812	winlogon.exe
3240	inetinfo.exe
3088	winlogon.exe
2184	inetinfo.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4480-0-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/files/0x000700000002343e-7.dat	upx
behavioral2/memory/2812-21-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/4480-29-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/3240-31-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/2812-34-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/3240-38-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/3088-42-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/2184-43-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/2184-55-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxBSLoad = "C:\\Windows\\system32\\MaxBSLoad.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\networks = "C:\\Windows\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxBSLoad = "C:\\Windows\\system32\\MaxBSLoad.exe"	inetinfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxBSLoad = "C:\\Windows\\system32\\MaxBSLoad.exe"	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\networks = "C:\\Windows\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxBSLoad = "C:\\Windows\\system32\\MaxBSLoad.exe"	inetinfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\networks = "C:\\Windows\\winlogon.exe"	inetinfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\networks = "C:\\Windows\\winlogon.exe"	inetinfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\networks = "C:\\Windows\\winlogon.exe"	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxBSLoad = "C:\\Windows\\system32\\MaxBSLoad.exe"	winlogon.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AutoRun.inf	inetinfo.exe
File created	F:\AutoRun.inf	inetinfo.exe
File opened for modification	C:\AutoRun.inf	inetinfo.exe
File created	C:\AutoRun.inf	inetinfo.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MaxBSLoad.exe	inetinfo.exe
File created	C:\Windows\SysWOW64\MaxBSLoad.exe	inetinfo.exe
File created	C:\Windows\SysWOW64\MaxBSLoad.exe	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MaxBSLoad.exe	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MaxBSLoad.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\MaxBSLoad.exe	winlogon.exe
File created	C:\Windows\SysWOW64\MaxBSLoad.exe	inetinfo.exe
File created	C:\Windows\SysWOW64\MaxBSLoad.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\MaxBSLoad.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\MaxBSLoad.exe	inetinfo.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\Windows\inetinfo.exe	winlogon.exe
File created	C:\Windows\winlogon.exe	winlogon.exe
File created	C:\Windows\inetinfo.exe	inetinfo.exe
File opened for modification	C:\Windows\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\ctfmon.exe	winlogon.exe
File opened for modification	C:\Windows\inetinfo.exe	inetinfo.exe
File created	C:\Windows\winlogon.exe	inetinfo.exe
File created	C:\Windows\ctfmon.exe	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
File created	C:\Windows\inetinfo.exe	winlogon.exe
File created	C:\Windows\ctfmon.exe	inetinfo.exe
File opened for modification	C:\Windows\inetinfo.exe	inetinfo.exe
File opened for modification	C:\Windows\ctfmon.exe	inetinfo.exe
File created	C:\Windows\winlogon.exe	inetinfo.exe
File created	C:\Windows\ctfmon.exe	winlogon.exe
File opened for modification	C:\Windows\ctfmon.exe	inetinfo.exe
File created	C:\Windows\ctfmon.exe	winlogon.exe
File opened for modification	C:\Windows\ctfmon.exe	winlogon.exe
File created	C:\Windows\winlogon.exe	winlogon.exe
File created	C:\Windows\ctfmon.exe	inetinfo.exe
File created	C:\Windows\inetinfo.exe	inetinfo.exe
File opened for modification	C:\Windows\winlogon.exe	inetinfo.exe
File opened for modification	C:\Windows\ctfmon.exe	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
File opened for modification	C:\Windows\inetinfo.exe	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
File created	C:\Windows\winlogon.exe	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
File opened for modification	C:\Windows\winlogon.exe	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
File opened for modification	C:\Windows\inetinfo.exe	winlogon.exe
File created	C:\Windows\inetinfo.exe	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
File opened for modification	C:\Windows\inetinfo.exe	winlogon.exe
File opened for modification	C:\Windows\winlogon.exe	inetinfo.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\etc\\networks.exe %1"	inetinfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\etc\\networks.exe %1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\etc\\networks.exe %1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	inetinfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\etc\\networks.exe %1"	inetinfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\etc\\networks.exe %1"	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	inetinfo.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	winlogon.exe
Token: SeDebugPrivilege	3240	inetinfo.exe
Token: SeDebugPrivilege	3088	winlogon.exe
Token: SeDebugPrivilege	2184	inetinfo.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4480	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
2812	winlogon.exe
3240	inetinfo.exe
3088	winlogon.exe
2184	inetinfo.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 2812	4480	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe	81
PID 4480 wrote to memory of 2812	4480	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe	81
PID 4480 wrote to memory of 2812	4480	00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe	81
PID 2812 wrote to memory of 3240	2812	winlogon.exe	85
PID 2812 wrote to memory of 3240	2812	winlogon.exe	85
PID 2812 wrote to memory of 3240	2812	winlogon.exe	85
PID 3240 wrote to memory of 3088	3240	inetinfo.exe	86
PID 3240 wrote to memory of 3088	3240	inetinfo.exe	86
PID 3240 wrote to memory of 3088	3240	inetinfo.exe	86
PID 3088 wrote to memory of 2184	3088	winlogon.exe	87
PID 3088 wrote to memory of 2184	3088	winlogon.exe	87
PID 3088 wrote to memory of 2184	3088	winlogon.exe	87

C:\Users\Admin\AppData\Local\Temp\00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00b4a2f1daf18bd2235f05d89fc2d4b1_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\winlogon.exe
  C:\Windows\winlogon.exe
  2⤵
  - Adds policy Run key to start application
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\inetinfo.exe
    C:\Windows\inetinfo.exe
    3⤵
    - Adds policy Run key to start application
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Windows\winlogon.exe
      C:\Windows\winlogon.exe
      4⤵
      Adds policy Run key to start application
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3088
    - - C:\Windows\inetinfo.exe
        
        C:\Windows\inetinfo.exe
        5⤵
        Adds policy Run key to start application
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AutoRun.inf

Filesize
163B

MD5
512fca0bdc88098ba32f8bcd61e22144

SHA1
afc73edaff64c79f732e89777a223d1a938b7f33

SHA256
6817f958d7b3aecae14703989d0bb2b0d01f28fe52e14949f26e16e67734f8c8

SHA512
da68aac20ce0800c07ebefae94aeff5905f15acca430427e79c09beb382b45c77a4f04db98a31d9b25ce3ccd331e2ba2e2cac79aed5f3f8a2c4c0b3cd9ecc273

Download Submit
C:\Users\Admin\AppData\Local\Temp\12520798.cpx

Filesize
4KB

MD5
67078b44374dd4c6be078291a35896a9

SHA1
7e025a55f3e0dcdab2110d51efb0153b34b3d850

SHA256
15a571e44397e1580366a5555e153abed454878dbe08aedec152509d415323f8

SHA512
c47f3826aba8f006598dc446ddbfa6dfa27079b16b9b4e3abecb18f03f8f046e5d9eec08c4e55230d5110caee43b33fb2825c7cadfd89524acce3cb94023ed40

Download Submit
C:\Windows\inetinfo.exe

Filesize
27KB

MD5
00b4a2f1daf18bd2235f05d89fc2d4b1

SHA1
de9c48ec5fe55153135fb58bc842734d40241219

SHA256
fb6c102d3228e4368236d02fa6d6ea8710e507668bc54b235ae93faea70cee88

SHA512
63e7fcfedeec537b1e0554422ecc2682a5b335bd64e4bcc84b345f63c0820f95e0190918b8ecc0c45be2177329cdaa417efbf035d7a97b59ed672310e05ba0d3

Download Submit
memory/2184-43-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2184-55-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2812-21-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2812-34-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3088-42-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3240-31-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3240-38-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4480-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4480-29-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads