c00d003bdf8072037befdb98d23119917cc436ee0ecd36fecb269605bd43057b

General

Target

0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe
Size

47KB
MD5

0f3c47958d614b859855c711758a5df0
SHA1

40aae0308cdb8ad2dfa658a19b55968dade737fd
SHA256

c00d003bdf8072037befdb98d23119917cc436ee0ecd36fecb269605bd43057b
SHA512

d754072f7fd1adebf22e376b06ac362f22844d7643e8328ea1ca8094827aebbcffb1ec59242fe9e0288c436bc7bf519b2f90234720190a339b348e3b31a6b987
SSDEEP

768:1/z6MO8JdJfSAAWbfTC2/0Q9TEiXgKcnpn8sfEbyFXL1gP6MGHQkwIkNis:1b6MXpSAAWb7C2dTEfCsfEbyp1gvGHcB

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\Userinit.exe,C:\\Windows\\system32\\ahue.exe"	_t1290F.tmp

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2840	_t1290F.tmp
2744	_fi2910.tmp
2300	ahue.exe

Loads dropped DLL 1 IoCs

pid	Process
2300	ahue.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000016fa5-40.dat	upx
behavioral2/memory/2300-41-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/2300-50-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\driver\setc\hosts	_fi2910.tmp
File created	C:\Windows\SysWOW64\driver\setc\hosts	_t1290F.tmp
File created	C:\Windows\SysWOW64\ahue.exe	_t1290F.tmp
File created	C:\Windows\SysWOW64\apphelp.nud	_t1290F.tmp
File opened for modification	C:\Windows\SysWOW64\ahue.exe	_t1290F.tmp
File opened for modification	C:\Windows\SysWOW64\apphelp.nud	_t1290F.tmp

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\fsutil.exe	_fi2910.tmp
File opened for modification	C:\Windows\SQLSADO.HLP	_fi2910.tmp
File opened for modification	C:\Windows\SysWOW64	_t1290F.tmp
File created	C:\Windows\fsutil.exe	_fi2910.tmp
File created	C:\Windows\SQLSADO.HLP	_fi2910.tmp

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1948	2300	WerFault.exe	94
4028	2744	WerFault.exe	93

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2840	_t1290F.tmp
Token: SeIncBasePriorityPrivilege	392	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
392	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe
392	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe
2840	_t1290F.tmp
2840	_t1290F.tmp
2744	_fi2910.tmp
2744	_fi2910.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 2840	392	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	92
PID 392 wrote to memory of 2840	392	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	92
PID 392 wrote to memory of 2840	392	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	92
PID 392 wrote to memory of 2744	392	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	93
PID 392 wrote to memory of 2744	392	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	93
PID 392 wrote to memory of 2744	392	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	93
PID 2840 wrote to memory of 2300	2840	_t1290F.tmp	94
PID 2840 wrote to memory of 2300	2840	_t1290F.tmp	94
PID 2840 wrote to memory of 2300	2840	_t1290F.tmp	94
PID 2840 wrote to memory of 432	2840	_t1290F.tmp	96
PID 2840 wrote to memory of 432	2840	_t1290F.tmp	96
PID 2840 wrote to memory of 432	2840	_t1290F.tmp	96
PID 392 wrote to memory of 1096	392	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	98
PID 392 wrote to memory of 1096	392	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	98
PID 392 wrote to memory of 1096	392	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	98

C:\Users\Admin\AppData\Local\Temp\0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\_t1290F.tmp
  "C:\Users\Admin\AppData\Local\Temp\_t1290F.tmp"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\ahue.exe
    "C:\Windows\system32\ahue.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 572
      4⤵
      Program crash
      PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\_t1290F.tmp > nul
    3⤵
    PID:432
- C:\Users\Admin\AppData\Local\Temp\_fi2910.tmp
  "C:\Users\Admin\AppData\Local\Temp\_fi2910.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 452
    3⤵
    - Program crash
    PID:4028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0F3C47~1.EXE > nul
  2⤵
  PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 2744 -ip 2744
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2300 -ip 2300
1⤵
PID:1280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4204 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.tmp

Filesize
20KB

MD5
cdf9efb65ec6a09aebc11dbacbab3d00

SHA1
16d235d64474051cd5bf72ad1918a90934d4ce70

SHA256
d1e04e823e636bfbcd6b2e0e6731bbcdd5ba5ffa1cc17ff9104278796a2f1590

SHA512
db9371e83bea14d222c46b47938987dd277e50e1db93b28a2528da87cc457d15a11589a30c69e5d9b6187ce443b93498490e1f1c043f3a7200b8bcb5a4494c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_fi2910.tmp

Filesize
23KB

MD5
47833b2b597142651b93a212f8fbff87

SHA1
a970368b071a80f0f807bb9eebc9807674647617

SHA256
fdb0be56e2bbb877e59db307c71b597c3bf04c8f4fc8661668d968c717b739a5

SHA512
99807a798891e009fb8d6feef1b16564f9219d1780d042dfe77398f910991389ef03ed17b1ab5b3bde1bddf70ddaa3ebc8a027b655262aff831bcfc8f834d8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_t1290F.tmp

Filesize
20KB

MD5
30d60a822328ad77a62199e468d03966

SHA1
42eb2953702b2df4e5dbcb7e26bc06b7cffe5e31

SHA256
86fc6d353e5723ee1c82c6a996b42772414e0da81c8db91378f7d267fa20a34c

SHA512
f03b9e2783b55cf0ad2e1ac9dd5a53c50309a917a85ebf4432a3f458bb176246ea8c7c2e4f20b7b49632c26ed4a26d898babda04b77435ddf803eae41e43de3d

Download Submit
C:\Windows\SysWOW64\ahue.exe

Filesize
7KB

MD5
698500427ca50cec5dbd8698eb421bad

SHA1
490455d78ebfad2cca9037dcc2e221c3f6bed4ca

SHA256
52d10061c647ee2f3f6ad7d5fe6523726d6560040c1ad1e22cbd9ea753cbc45f

SHA512
8fd462a6de248a561ff03bc7c3f54390c41c042f58c3c492d77ce4df8984c7f86654cf82957dd891eb934487114d3e1f56b236aba7743f32914407c45536357f

Download Submit
C:\Windows\SysWOW64\apphelp.nud

Filesize
13KB

MD5
8557194945a2dc9fed9aaa7cab83186a

SHA1
b17d08ee1715bdd12af06f1d6fe45a3ea5d4c1e7

SHA256
1175c8f82fa67cfbead523aa1f51e2b9be75bedc93a1f3b7601a5a4ffd9dae12

SHA512
951d42355d1438e66aad3d20cd768dc3775660ca5890deecf7d81a9e75063ae7daf3d05e725087eafa8b01f0fa56f144caab41210d10abfde6f5ef13527e795f

Download Submit
memory/392-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/392-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2300-41-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2300-45-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2300-47-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2300-50-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2300-51-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2744-26-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2744-49-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2840-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2840-46-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads