b62d38bce35f1b03d28364b52d67970b6d0eb5090030696dd75e70fdf36aad88

General

Target

0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Size

76KB
MD5

0041ae21f6eeb396f6d38e4aab46e51e
SHA1

05c113b693cd27dcdd28321b1575e83df258b13b
SHA256

b62d38bce35f1b03d28364b52d67970b6d0eb5090030696dd75e70fdf36aad88
SHA512

f68d63b858a57cd7212347799132dbb55bb1301647156298c353952b5a99451ab83f060337c696089148c3021f0a180e9ad3883123f2af1a2e5d69cd902127fb
SSDEEP

1536:mX2Ix115R0JuPFrZBh+DYNJxcLwCuDPUbohbpQulUt:mX2I+6Z8uDPUchlQul

Score

6^/10

persistence

Malware Config

Signatures

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "kdygj.exe"	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kdygj.exe	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\kdygj.exe	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4256 set thread context of 3196	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe	83

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeSecurityPrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeBackupPrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeRestorePrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeShutdownPrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeDebugPrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeUndockPrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeManageVolumePrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: 33	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: 34	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: 35	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
Token: 36	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 2892	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe	82
PID 4256 wrote to memory of 2892	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe	82
PID 4256 wrote to memory of 3196	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe	83
PID 4256 wrote to memory of 3196	4256	0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0041ae21f6eeb396f6d38e4aab46e51e_JaffaCakes118.exe"
1⤵
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Windows\bfsvc.exe
  C:\Windows\bfsvc.exe
  2⤵
  PID:2892
- C:\Windows\bfsvc.exe
  C:\Windows\bfsvc.exe
  2⤵
  PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4256-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4256-1-0x000000006B800000-0x000000006B8F0000-memory.dmp

Filesize
960KB

Download
memory/4256-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4256-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads