36a4251b94d63145e3c99aa6ede2ffa727bd78c5ff83255b0928b7c0c934ce61

General

Target

063862283efc1a22008008cb542301a6_JaffaCakes118.exe
Size

349KB
MD5

063862283efc1a22008008cb542301a6
SHA1

ae57f6c8436f461f8a2711f0268db6d54203d2d9
SHA256

36a4251b94d63145e3c99aa6ede2ffa727bd78c5ff83255b0928b7c0c934ce61
SHA512

2f17708d074b8e6557b973a44d7a0d453330a04a01222a7e1dbe171fdca928b30ee76151201ae16550049a04134b9155517dbae540d94173aeabe08b49ef14c2
SSDEEP

6144:oOavk2p1sc2oNQlTlbm2AKnkB1/GB2FuO1D0Z4LGyvBcG4+hZCPCny2rWt+e2DH+:otk2pKhoWTl5JkB1m2Fu1Z4L34+hZCPu

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\31651cc6\\X"	Explorer.EXE

Deletes itself 1 IoCs

pid	Process
2352	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
336	csrss.exe
2804	X

Loads dropped DLL 2 IoCs

pid	Process
3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe
3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3000 set thread context of 2352	3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	29

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{4b89fadc-d2b0-6551-b01d-9b7a6354fa3a}	063862283efc1a22008008cb542301a6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4b89fadc-d2b0-6551-b01d-9b7a6354fa3a}\u = "15"	063862283efc1a22008008cb542301a6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4b89fadc-d2b0-6551-b01d-9b7a6354fa3a}\cid = "823679770864488966"	063862283efc1a22008008cb542301a6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe
3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe
3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe
3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe
2804	X

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe
Token: SeDebugPrivilege	3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1152	3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	20
PID 3000 wrote to memory of 336	3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	2
PID 3000 wrote to memory of 2804	3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2804	3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2804	3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2804	3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	28
PID 2804 wrote to memory of 1152	2804	X	20
PID 3000 wrote to memory of 2352	3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	29
PID 3000 wrote to memory of 2352	3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	29
PID 3000 wrote to memory of 2352	3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	29
PID 3000 wrote to memory of 2352	3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	29
PID 3000 wrote to memory of 2352	3000	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	29
PID 336 wrote to memory of 1540	336	csrss.exe	31
PID 336 wrote to memory of 1540	336	csrss.exe	31
PID 336 wrote to memory of 2380	336	csrss.exe	32
PID 336 wrote to memory of 2380	336	csrss.exe	32

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
PID:1152
- C:\Users\Admin\AppData\Local\Temp\063862283efc1a22008008cb542301a6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\063862283efc1a22008008cb542301a6_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Local\31651cc6\X
    176.53.17.23:80
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2352

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1540

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\31651cc6\@

Filesize
2KB

MD5
52a9ed25735e79b8cdb59ebceb5dc005

SHA1
d7e435e9427516edb298bab7052c7f8ea7dbc937

SHA256
6acfa25fd993aeb563865938992107ea619f1aff90d0b029ce9b340e629c967c

SHA512
dbfc32a0724c9c2cbad618555f634ac1bc3062c47b8283d6819b46a8da88dfa03072b3bfb48a90ed99768b7999c0dafacdd85756dc845ef21dcfcc54f9c204c7

Download Submit
C:\Windows\system32\consrv.dll

Filesize
31KB

MD5
2718f2d89cab642e96ebad313b64f478

SHA1
94b8e9d95786d2e03bfe61df5705f0bfb8b77f19

SHA256
765090821b30dbca4bdf96de0ffeeeb8821013a643f9405285ef7acdb44fab58

SHA512
e25172284c1e5206568310b7a4bb0c62445a56bc5bcaae65dd39ed86456df03faa20e1a883d0df60c9253b250ff7e8d11e7bb05f89dca69ba7c5b261f35a70f6

Download Submit
\Users\Admin\AppData\Local\31651cc6\X

Filesize
41KB

MD5
be40a2578e862f1cecc9b9194f524201

SHA1
0c379f375f9bcfab2e8d86161cec07fe4a7dbc12

SHA256
2c0f19272baa42d1af85a395fe8cd687c50e91450abc5911f6806c317a25b6a6

SHA512
25fbee1dce99c0ca80cd11bbe0d9fceaa07bf8a8b9b3ebc04e55645c0a733dafc83a7922975c31bc9fdff6f413257ac8b9ff72628c78b48a5b7ab669eab369f8

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
ebedb16e540ac1728cd5bebbe171be25

SHA1
00dfdf647580b0b9aa75377ce193e2a236a18b53

SHA256
a61a9eea7e3ea00cc42b3d90af939fac8e367474976152e75684dc29adcd19f9

SHA512
4717ab49d650f888aadca0bb4c44860131bd3b45cf09bb7cb66a9f3525c6e73a09200f1bf0ecfe89629fd3ca20c2a346048d69e27b096564d11c7085b03e2162

Download Submit
memory/336-53-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/336-29-0x0000000000E40000-0x0000000000E4C000-memory.dmp

Filesize
48KB

Download
memory/336-28-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/336-27-0x0000000000E40000-0x0000000000E4C000-memory.dmp

Filesize
48KB

Download
memory/1152-40-0x0000000002AF0000-0x0000000002AFB000-memory.dmp

Filesize
44KB

Download
memory/1152-48-0x0000000002AF0000-0x0000000002AFB000-memory.dmp

Filesize
44KB

Download
memory/1152-60-0x0000000002B10000-0x0000000002B1B000-memory.dmp

Filesize
44KB

Download
memory/1152-20-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1152-16-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1152-12-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1152-22-0x0000000002AE0000-0x0000000002AE2000-memory.dmp

Filesize
8KB

Download
memory/1152-59-0x0000000002AD0000-0x0000000002AD8000-memory.dmp

Filesize
32KB

Download
memory/1152-51-0x0000000002AD0000-0x0000000002AD8000-memory.dmp

Filesize
32KB

Download
memory/1152-44-0x0000000002AF0000-0x0000000002AFB000-memory.dmp

Filesize
44KB

Download
memory/1152-49-0x0000000002B10000-0x0000000002B1B000-memory.dmp

Filesize
44KB

Download
memory/3000-31-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3000-50-0x0000000000400000-0x0000000000468E6C-memory.dmp

Filesize
419KB

Download
memory/3000-2-0x0000000000400000-0x0000000000468E6C-memory.dmp

Filesize
419KB

Download
memory/3000-6-0x0000000000470000-0x00000000004A3000-memory.dmp

Filesize
204KB

Download
memory/3000-9-0x0000000000470000-0x00000000004A3000-memory.dmp

Filesize
204KB

Download
memory/3000-57-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3000-58-0x0000000000400000-0x0000000000468E6C-memory.dmp

Filesize
419KB

Download
memory/3000-3-0x0000000000470000-0x00000000004A3000-memory.dmp

Filesize
204KB

Download
memory/3000-21-0x0000000000400000-0x0000000000468E6C-memory.dmp

Filesize
419KB

Download
memory/3000-1-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads