a9f15397512e7ae62b381036d8cf2babb20e391bf1c4145dfcdf03813b94bbba

General

Target

5d6860a98f0a5122b34331a275f3556b_JaffaCakes118.dll
Size

24KB
MD5

5d6860a98f0a5122b34331a275f3556b
SHA1

2af844edc64a46cf82f17b4ef20dedb49b733422
SHA256

a9f15397512e7ae62b381036d8cf2babb20e391bf1c4145dfcdf03813b94bbba
SHA512

511702b455e36023fefbb1153b97ff34c7dfd9743f0f4fa224ba071cd88011ae65fdffa60d767e90d1423dd682878d9058bbfbdc0a11b8d40fb7a0bbad6798eb
SSDEEP

384:Zve6kWKQYebBTfN4ZgeEYqpiVHESVviSDbo6dE+oekG802OyG0i02OyG0:ZDKQRjpCTtSUEQpH2OyGy2OyG

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe rundll32.exe yoyg.guo jaqwe"	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1988	2756	svchost.exe	31

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yoyg.guo	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\yoyg.guo	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\yoyg.guo	rundll32.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idid	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\idid\url0 = 1e9b6dd889e6c45673f71278b5effd1615807487dea8984374e9587db6afea5006ef7c3b9b01748723f78ef7f1e0540e	svchost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2756	WINWORD.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2756	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2756	WINWORD.EXE
2756	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2004	2220	rundll32.exe	30
PID 2220 wrote to memory of 2004	2220	rundll32.exe	30
PID 2220 wrote to memory of 2004	2220	rundll32.exe	30
PID 2220 wrote to memory of 2004	2220	rundll32.exe	30
PID 2220 wrote to memory of 2004	2220	rundll32.exe	30
PID 2220 wrote to memory of 2004	2220	rundll32.exe	30
PID 2220 wrote to memory of 2004	2220	rundll32.exe	30
PID 2756 wrote to memory of 1988	2756	WINWORD.EXE	32
PID 2756 wrote to memory of 1988	2756	WINWORD.EXE	32
PID 2756 wrote to memory of 1988	2756	WINWORD.EXE	32
PID 2756 wrote to memory of 1988	2756	WINWORD.EXE	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d6860a98f0a5122b34331a275f3556b_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d6860a98f0a5122b34331a275f3556b_JaffaCakes118.dll,#1
  2⤵
  - Drops file in System32 directory
  PID:2004

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Process spawned unexpected child process
  - Modifies registry class
  PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\yoyg.guo

Filesize
24KB

MD5
9b9ada4faebba9b9266bc86756e96124

SHA1
75169d56a7569eaad5fd3bee5b8991e6d4647802

SHA256
6c154f70f8aebf4e3cb9df1a05acbbe4bc07a301f5cd2ea983fb3315fc235a13

SHA512
c7526078ed551c5796e23393ad46c7e5ee3725888cacd6288bf09d8e869cbbd587a8f18f3bbfde198e9ba37921a2521f05cbe3713e8e15c1c069613d80943f45

Download Submit
memory/1988-11-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1988-21-0x00000000602C0000-0x00000000602CD000-memory.dmp

Filesize
52KB

Download
memory/1988-22-0x00000000602C0000-0x00000000602CD000-memory.dmp

Filesize
52KB

Download
memory/2756-0-0x000000002FD61000-0x000000002FD62000-memory.dmp

Filesize
4KB

Download
memory/2756-2-0x0000000070ABD000-0x0000000070AC8000-memory.dmp

Filesize
44KB

Download
memory/2756-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2756-8-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/2756-10-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/2756-17-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2756-18-0x0000000070ABD000-0x0000000070AC8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads