c89c473bb8855ef93d330c6bac7eedd2a0abcb509bc67f34277ce975690262a9

General

Target

05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Size

70KB
MD5

05df61895db79d24796d8f04cbb5e65c
SHA1

ad990c45a86ded2d7166793fb56fb00933e62321
SHA256

c89c473bb8855ef93d330c6bac7eedd2a0abcb509bc67f34277ce975690262a9
SHA512

2ecaca11ca3a02e3780aaffb163a1c9c90353977bb0e49ecd5e01a77b2e2b66e2d2364befb1c1e0dd5df3d819eec81000f6162600ac7e5cd61b89e29eb0a80d6
SSDEEP

1536:iXC1VKZv2jJODZFQmPx5807jcVDON16VWy0oqNOb:rVK1PQKxN2S/6T08

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "kdjjj.exe"	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\kdjjj.exe	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\kdjjj.exe	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1676 set thread context of 2608	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe	29

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeSecurityPrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeBackupPrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeRestorePrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeShutdownPrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeDebugPrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeUndockPrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: 33	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: 34	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
Token: 35	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1628	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe	28
PID 1676 wrote to memory of 1628	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe	28
PID 1676 wrote to memory of 1628	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe	28
PID 1676 wrote to memory of 1628	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe	28
PID 1676 wrote to memory of 2608	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe	29
PID 1676 wrote to memory of 2608	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe	29
PID 1676 wrote to memory of 2608	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe	29
PID 1676 wrote to memory of 2608	1676	05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05df61895db79d24796d8f04cbb5e65c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\bfsvc.exe
  C:\Windows\bfsvc.exe
  2⤵
  PID:1628
- C:\Windows\bfsvc.exe
  C:\Windows\bfsvc.exe
  2⤵
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1676-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1676-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1676-2-0x000000007DD60000-0x000000007DE70000-memory.dmp

Filesize
1.1MB

Download
memory/1676-13-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads