25a9eb1811dc03f707cfeea5c7e091e55557294003bf7611d340cae2075c06f0

General

Target

168aaecea7ddc0326669f6d45d85ea05_JaffaCakes118.exe
Size

293KB
MD5

168aaecea7ddc0326669f6d45d85ea05
SHA1

10029d25a557bc81a51cf1d23ca6bcf534a420ac
SHA256

25a9eb1811dc03f707cfeea5c7e091e55557294003bf7611d340cae2075c06f0
SHA512

96c97449c977ad8853d5ea4f58d1771814baf62eec95e89ba5a4fa1cb2619b3b9cf4c9a7b933b62e160e0136a838e53845bf4b8fbce4b9715588a39c676615c8
SSDEEP

6144:M8p6NpUBC+ZLD7A/I1pXFJd4OP/02g61w+b7wqUgfgifJjWUoS:D4O9DM/6x5P/02D+u0qPBNWUoS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2580	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2552	winlogin.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\winlogin.exe	168aaecea7ddc0326669f6d45d85ea05_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\winlogin.exe	168aaecea7ddc0326669f6d45d85ea05_JaffaCakes118.exe

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000e0455a83a7c8da01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000a0085f83a7c8da01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000060cb6383a7c8da01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{920E6DB1-9907-4370-B3A0-BAFC03D81399} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000040a75c83a7c8da01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{16F3DD56-1AF5-4347-846D-7C10C4192619} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000a0085f83a7c8da01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000080e45783a7c8da01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000e0455a83a7c8da01	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2616	svchost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2580	2176	168aaecea7ddc0326669f6d45d85ea05_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2580	2176	168aaecea7ddc0326669f6d45d85ea05_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2580	2176	168aaecea7ddc0326669f6d45d85ea05_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2580	2176	168aaecea7ddc0326669f6d45d85ea05_JaffaCakes118.exe	30
PID 2552 wrote to memory of 2616	2552	winlogin.exe	29
PID 2552 wrote to memory of 2616	2552	winlogin.exe	29
PID 2552 wrote to memory of 2616	2552	winlogin.exe	29
PID 2552 wrote to memory of 2616	2552	winlogin.exe	29
PID 2552 wrote to memory of 2616	2552	winlogin.exe	29
PID 2552 wrote to memory of 2616	2552	winlogin.exe	29

C:\Users\Admin\AppData\Local\Temp\168aaecea7ddc0326669f6d45d85ea05_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\168aaecea7ddc0326669f6d45d85ea05_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\SNQVJH.bat
  2⤵
  - Deletes itself
  PID:2580

C:\Program Files (x86)\winlogin.exe
"C:\Program Files (x86)\winlogin.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe" 76665
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  PID:2616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\winlogin.exe

Filesize
293KB

MD5
168aaecea7ddc0326669f6d45d85ea05

SHA1
10029d25a557bc81a51cf1d23ca6bcf534a420ac

SHA256
25a9eb1811dc03f707cfeea5c7e091e55557294003bf7611d340cae2075c06f0

SHA512
96c97449c977ad8853d5ea4f58d1771814baf62eec95e89ba5a4fa1cb2619b3b9cf4c9a7b933b62e160e0136a838e53845bf4b8fbce4b9715588a39c676615c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNQVJH.bat

Filesize
218B

MD5
e5441056ccfe1532f3078ed46d9b9aea

SHA1
8f60a5b212026c34b353d4d0c1de54cd40569552

SHA256
7852bc75d53e18722256162e815e513d20b2388f992de5821c4a24f581cffdbf

SHA512
cffe8c4716919154ed663487ac7f8ccfa5704caa18c11208041c8c755da51622756896d290a48fe571ce1b77a60a0322ebb98f8f588ae7380818e45f8283aa4b

Download Submit
memory/2176-0-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/2176-1-0x0000000001AF0000-0x0000000001AF1000-memory.dmp

Filesize
4KB

Download
memory/2176-16-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/2552-5-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/2552-6-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2552-28-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/2616-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-21-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/2616-23-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/2616-24-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/2616-25-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/2616-26-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2616-17-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/2616-29-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/2616-30-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing