f3f360afbe615cb0e21bbef7f14eb6d9806bd7bb2a2ee3c5f0e3634793034d7e

General

Target

61ac2256a931e259e3978b8731519242_JaffaCakes118.exe
Size

241KB
MD5

61ac2256a931e259e3978b8731519242
SHA1

342987b6d29af9849d6f2ccd6b349706d2da7b3d
SHA256

f3f360afbe615cb0e21bbef7f14eb6d9806bd7bb2a2ee3c5f0e3634793034d7e
SHA512

362f1be0b43e0ff37da337ef69b7c14dfc922987af2f016d3fa13b5a7ac1de2cef9130cbd16bc3c1f5def06111bed13b257f2c68d02e2f55ece07baafc48edfb
SSDEEP

3072:lxUjEyceq3/M+DjQDA8DfKrFHasUzFEJWmFezJxs3QrTw81oJRwhHt:gjEyz0/MzJfkZWzmpUV1oL0

Score

10^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\""	61ac2256a931e259e3978b8731519242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\""	winlogon.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4944	netsh.exe

Deletes itself 1 IoCs

pid	Process
224	winlogon.exe

Executes dropped EXE 1 IoCs

pid	Process
224	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\""	61ac2256a931e259e3978b8731519242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\""	61ac2256a931e259e3978b8731519242_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\""	winlogon.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3652	61ac2256a931e259e3978b8731519242_JaffaCakes118.exe
224	winlogon.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 4944	3652	61ac2256a931e259e3978b8731519242_JaffaCakes118.exe	89
PID 3652 wrote to memory of 4944	3652	61ac2256a931e259e3978b8731519242_JaffaCakes118.exe	89
PID 3652 wrote to memory of 4944	3652	61ac2256a931e259e3978b8731519242_JaffaCakes118.exe	89
PID 3652 wrote to memory of 224	3652	61ac2256a931e259e3978b8731519242_JaffaCakes118.exe	91
PID 3652 wrote to memory of 224	3652	61ac2256a931e259e3978b8731519242_JaffaCakes118.exe	91
PID 3652 wrote to memory of 224	3652	61ac2256a931e259e3978b8731519242_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\61ac2256a931e259e3978b8731519242_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\61ac2256a931e259e3978b8731519242_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\winlogon.exe" CityScape Enable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:4944
- C:\Users\Admin\AppData\Roaming\winlogon.exe
  /d C:\Users\Admin\AppData\Local\Temp\61ac2256a931e259e3978b8731519242_JaffaCakes118.exe
  2⤵
  - Modifies WinLogon for persistence
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
241KB

MD5
e776928b6692598b7c4b55675eea15a1

SHA1
7a06182100023fb5e919c1b96a65b32859417041

SHA256
f8083564c6f2a8e4742fdeb68023436dc2bbd89a854c07860c009d67a06ee9b8

SHA512
90ccfa9066191e151d69e116fd70b08ea265d4c0f6bf559816ca39aa46ab4f5fe7aeb2e4b765eee57e7df89f47c286421e984eb638b1258738cf7875599f2597

Download Submit
memory/224-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/224-28-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/224-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/224-30-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/224-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/224-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/224-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3652-0-0x0000000000910000-0x0000000000951000-memory.dmp

Filesize
260KB

Download
memory/3652-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3652-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads