7b33f299b0cb7fcc4d4038d29ef24798e3a8b23b26a46da67fa3209f499e15d5

General

Target

4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe
Size

5.1MB
MD5

4ad762d71871c8d17d9d07f6c654b2df
SHA1

f6f70e88f8ef7c5ed1ff85d9fcdb1d410c7f31a9
SHA256

7b33f299b0cb7fcc4d4038d29ef24798e3a8b23b26a46da67fa3209f499e15d5
SHA512

2d54e52383a086231d4122b3ac50cc5925072b9d72f67a4a6b30bce15a5e790d69b4d8130fad2920d273752b946e0a28591428937ec0e66dfe699d651d1f0f40
SSDEEP

24576:MP09/wTXGJZ4+cOAlVZIfd6LymDZpfimWbDntBJMe6AwcFNguxoCWcP+Sf:MQ/AGInZGALyWP32t4hcFNHyfc2I

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\0e94107c\\X"	Explorer.EXE

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2516	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

csrss.exeX

pid	Process
332	csrss.exe
2844	X

Loads dropped DLL 2 IoCs

Processes:

4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe

pid	Process
2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe
2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2092 set thread context of 2516	2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe	31

Modifies registry class 3 IoCs

Processes:

4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{8b7b1c4f-2775-6e50-2822-c9765af149fd}	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8b7b1c4f-2775-6e50-2822-c9765af149fd}\u = "134"	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8b7b1c4f-2775-6e50-2822-c9765af149fd}\cid = "7149658695677013697"	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exeX

pid	Process
2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe
2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe
2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe
2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe
2844	X

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe
Token: SeDebugPrivilege	2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

csrss.exe

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exeX

description	pid	Process	procid_target
PID 2092 wrote to memory of 1264	2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe	21
PID 2092 wrote to memory of 332	2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe	2
PID 2092 wrote to memory of 2844	2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2844	2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2844	2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2844	2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe	30
PID 2844 wrote to memory of 1264	2844	X	21
PID 2092 wrote to memory of 2516	2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2516	2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2516	2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2516	2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2516	2092	4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe	31

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
PID:1264
- C:\Users\Admin\AppData\Local\Temp\4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4ad762d71871c8d17d9d07f6c654b2df_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\0e94107c\X
    176.53.17.23:80
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0e94107c\@

Filesize
2KB

MD5
a91666db84a85c2bd5d478c41b5ec0c2

SHA1
b1382cb616df9ce5f7554406a2379b7e4d978460

SHA256
890897451fcdf5709ecb0c9eaee2e2612f464f64b4a552fe41c3deef9b34ade9

SHA512
3ceb2b0e180ae0499a844cf95bdafcdeae57a5e566c454bc640343ee2416dd357249dc255c4ef1f2da5e6d2ab304130df32ef4e9849428074561600d4e4f4c50

Download Submit
C:\Windows\system32\consrv.dll

Filesize
31KB

MD5
dafc4a53954b76c5db1d857e955f3805

SHA1
a18fa0d38c6656b4398953e77e87eec3b0209ef3

SHA256
c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b

SHA512
745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633

Download Submit
\Users\Admin\AppData\Local\0e94107c\X

Filesize
41KB

MD5
686b479b0ee164cf1744a8be359ebb7d

SHA1
8615e8f967276a85110b198d575982a958581a07

SHA256
fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b

SHA512
7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
c2593e421506ee052709404af4ea4373

SHA1
6929997f38d429445ae703bed27f11b3bb43f24e

SHA256
5ca422ed80663bccac65f2a7da315a7d4b6f5948eea1179b87f17dc7c8786199

SHA512
0b3858968c58849ad0e46ed8e40eb2804fe9400e1ddb8d9f61ae9829dfaf3b58cf4440786275466ca2bb14f7f5a21a05fa77a0fe49db1734b55ed06df67961b5

Download Submit
memory/332-29-0x0000000000E60000-0x0000000000E6C000-memory.dmp

Filesize
48KB

Download
memory/332-27-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/332-28-0x0000000000E60000-0x0000000000E6C000-memory.dmp

Filesize
48KB

Download
memory/1264-40-0x0000000002570000-0x000000000257B000-memory.dmp

Filesize
44KB

Download
memory/1264-49-0x0000000002590000-0x000000000259B000-memory.dmp

Filesize
44KB

Download
memory/1264-22-0x0000000002560000-0x0000000002562000-memory.dmp

Filesize
8KB

Download
memory/1264-20-0x0000000002570000-0x0000000002576000-memory.dmp

Filesize
24KB

Download
memory/1264-16-0x0000000002570000-0x0000000002576000-memory.dmp

Filesize
24KB

Download
memory/1264-12-0x0000000002570000-0x0000000002576000-memory.dmp

Filesize
24KB

Download
memory/1264-57-0x0000000002550000-0x0000000002558000-memory.dmp

Filesize
32KB

Download
memory/1264-58-0x0000000002590000-0x000000000259B000-memory.dmp

Filesize
44KB

Download
memory/1264-48-0x0000000002570000-0x000000000257B000-memory.dmp

Filesize
44KB

Download
memory/1264-44-0x0000000002570000-0x000000000257B000-memory.dmp

Filesize
44KB

Download
memory/1264-51-0x0000000002550000-0x0000000002558000-memory.dmp

Filesize
32KB

Download
memory/2092-50-0x0000000000400000-0x00000000004694C4-memory.dmp

Filesize
421KB

Download
memory/2092-21-0x0000000000400000-0x00000000004694C4-memory.dmp

Filesize
421KB

Download
memory/2092-6-0x00000000003B0000-0x00000000003E3000-memory.dmp

Filesize
204KB

Download
memory/2092-2-0x0000000000400000-0x00000000004694C4-memory.dmp

Filesize
421KB

Download
memory/2092-9-0x00000000003B0000-0x00000000003E3000-memory.dmp

Filesize
204KB

Download
memory/2092-55-0x0000000000400000-0x00000000004694C4-memory.dmp

Filesize
421KB

Download
memory/2092-56-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2092-31-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2092-3-0x00000000003B0000-0x00000000003E3000-memory.dmp

Filesize
204KB

Download
memory/2092-1-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads