d5cd85bfd4e8a006384da813c053a4ffc903ae2127f431c565540644adf9dce6

General

Target

2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
Size

1.9MB
MD5

2cf4c932c6b1673b42b6d6b4ff2a9056
SHA1

fbfa9aa93e3b4808ebac4aa2c2b80f7562c9b687
SHA256

d5cd85bfd4e8a006384da813c053a4ffc903ae2127f431c565540644adf9dce6
SHA512

0629a884d90d6304a7d48afb43a43005e680d6b734bee32a75c6b67a40391fbdc92fb1647d30ffd557a02b68bf99bf033c3f377b87382a980860f15ca0f10216
SSDEEP

49152:N5NN4inWyFIS1nlfNeuSS1JFCGLvEcTIMMdY17N:N5NN4inWyF5nJ6SUQvx/yY1B

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\PCenter\\pc.exe"	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2288	agent.exe

Loads dropped DLL 6 IoCs

pid	Process
2112	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
2112	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
2112	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
2288	agent.exe
2288	agent.exe
2288	agent.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\agent.exe = "C:\\Program Files (x86)\\PCenter\\agent.exe"	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PCenter\faq\images\gimg6.jpg	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
File created	C:\Program Files (x86)\PCenter\faq\images\gimg7.jpg	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
File created	C:\Program Files (x86)\PCenter\faq\images\gimg9.jpg	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
File created	C:\Program Files (x86)\PCenter\uninstall.exe	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
File created	C:\Program Files (x86)\PCenter\pc.exe	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
File created	C:\Program Files (x86)\PCenter\agent.exe	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
File created	C:\Program Files (x86)\PCenter\faq\images\gimg8.jpg	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
File created	C:\Program Files (x86)\PCenter\faq\guide.html	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
File created	C:\Program Files (x86)\PCenter\faq\images\gimg10.jpg	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
File created	C:\Program Files (x86)\PCenter\faq\images\gimg2.jpg	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
File created	C:\Program Files (x86)\PCenter\faq\images\gimg3.jpg	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
File created	C:\Program Files (x86)\PCenter\faq\images\gimg5.jpg	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
File created	C:\Program Files (x86)\PCenter\sounds\1.mp3	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
File created	C:\Program Files (x86)\PCenter\sounds\3.mp3	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
File created	C:\Program Files (x86)\PCenter\faq\images\gimg1.jpg	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
File created	C:\Program Files (x86)\PCenter\faq\images\gimg4.jpg	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2288	agent.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2288	agent.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2288	agent.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2288	2112	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2288	2112	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2288	2112	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2288	2112	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2288	2112	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2288	2112	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2288	2112	2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2cf4c932c6b1673b42b6d6b4ff2a9056_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Program Files (x86)\PCenter\agent.exe
  "C:\Program Files (x86)\PCenter\agent.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\PCenter\agent.exe

Filesize
542KB

MD5
ac71935ae6a741bb1a9fe3e9434d2ab7

SHA1
15881676d6ec354853ae1d8875fab4bd1ea62ee6

SHA256
d35094bfadaba50d0118df212aa3da12eda95394561d941c92e02d387c436f54

SHA512
98c9b5b71d6667e1fd1bf0bb911c742a6cae3b6205dbab82f3c342805f6de346cd43f1772958118321d37760e9189f34a951dbead2a03ba86e69ab31f4bb0c6f

Download Submit
\Program Files (x86)\PCenter\pc.exe

Filesize
1.8MB

MD5
fc6aac128fb461c4814ed653edc570a8

SHA1
6ef1fcbc192217792a8d8247194adc7cc8cca1ef

SHA256
8334d35be654a7b50ed7de7093a6092e8283d05a0e23818b9fb61a3c47047956

SHA512
df796113656ff687f62392188960b4b4896c055792fb97f50e0eb7245b37c78e458a50a636ae7e7de30255e37276c22d9df6a0883ee2f46086895ef42f910db7

Download Submit
memory/2288-39-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2288-40-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads