616a2c337fa6bfcdd71c6ce59b921d386fe0bc4da0f7c46c48a0b4391454b7b6

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

662907af250ce1b95433642306c6b46a_JaffaCakes118.exe
Size

720KB
MD5

662907af250ce1b95433642306c6b46a
SHA1

87198f0f9514a74ab3001090f12e3608d3f3b3f4
SHA256

616a2c337fa6bfcdd71c6ce59b921d386fe0bc4da0f7c46c48a0b4391454b7b6
SHA512

d2edb042245098678e0046e79706e304726f8aec860a01c97730f0cbdaee619ee641ba9e0a2f71da0c08f07ed8b007131ad53fce4a38ceace8f5677fe58b6552
SSDEEP

6144:PtlyZHGq322c3V1n5QxlqNoJwUhTxWq+U7W2LmZQwEM10Kp:Ptlyd2V1GlSoJwKRf7NLS3p10K

Score

10^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrss.exe"	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrss = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrss.exe"	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrss = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrss.exe"	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2904	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
2620	csrss.exe
2552	csrss.exe
2512	csrss.exe

Loads dropped DLL 12 IoCs

pid	Process
2184	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe
2620	csrss.exe
2620	csrss.exe
2620	csrss.exe
2620	csrss.exe
2552	csrss.exe
2552	csrss.exe
2552	csrss.exe
2552	csrss.exe
2512	csrss.exe
2512	csrss.exe
2512	csrss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrss.exe"	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrss.exe"	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2284 set thread context of 1248	2284	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	31
PID 1248 set thread context of 2184	1248	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	32
PID 2620 set thread context of 2552	2620	csrss.exe	36
PID 2552 set thread context of 2512	2552	csrss.exe	37

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	csrss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2184	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe
Token: SeBackupPrivilege	2184	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe
Token: SeRestorePrivilege	2512	csrss.exe
Token: SeBackupPrivilege	2512	csrss.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2284	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe
1248	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe
2184	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe
2620	csrss.exe
2552	csrss.exe
2512	csrss.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 1248	2284	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	31
PID 2284 wrote to memory of 1248	2284	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	31
PID 2284 wrote to memory of 1248	2284	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	31
PID 2284 wrote to memory of 1248	2284	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	31
PID 2284 wrote to memory of 1248	2284	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	31
PID 2284 wrote to memory of 1248	2284	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	31
PID 2284 wrote to memory of 1248	2284	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	31
PID 2284 wrote to memory of 1248	2284	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	31
PID 2284 wrote to memory of 1248	2284	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	31
PID 2284 wrote to memory of 1248	2284	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	31
PID 2284 wrote to memory of 1248	2284	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	31
PID 2284 wrote to memory of 1248	2284	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	31
PID 1248 wrote to memory of 2184	1248	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	32
PID 1248 wrote to memory of 2184	1248	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	32
PID 1248 wrote to memory of 2184	1248	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	32
PID 1248 wrote to memory of 2184	1248	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	32
PID 1248 wrote to memory of 2184	1248	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	32
PID 1248 wrote to memory of 2184	1248	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	32
PID 1248 wrote to memory of 2184	1248	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	32
PID 1248 wrote to memory of 2184	1248	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	32
PID 1248 wrote to memory of 2184	1248	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	32
PID 1248 wrote to memory of 2184	1248	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	32
PID 1248 wrote to memory of 2184	1248	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	32
PID 2184 wrote to memory of 2904	2184	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	33
PID 2184 wrote to memory of 2904	2184	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	33
PID 2184 wrote to memory of 2904	2184	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	33
PID 2184 wrote to memory of 2904	2184	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	33
PID 2184 wrote to memory of 2904	2184	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	33
PID 2184 wrote to memory of 2904	2184	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	33
PID 2184 wrote to memory of 2904	2184	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	33
PID 2184 wrote to memory of 2620	2184	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	35
PID 2184 wrote to memory of 2620	2184	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	35
PID 2184 wrote to memory of 2620	2184	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	35
PID 2184 wrote to memory of 2620	2184	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	35
PID 2184 wrote to memory of 2620	2184	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	35
PID 2184 wrote to memory of 2620	2184	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	35
PID 2184 wrote to memory of 2620	2184	662907af250ce1b95433642306c6b46a_JaffaCakes118.exe	35
PID 2620 wrote to memory of 2552	2620	csrss.exe	36
PID 2620 wrote to memory of 2552	2620	csrss.exe	36
PID 2620 wrote to memory of 2552	2620	csrss.exe	36
PID 2620 wrote to memory of 2552	2620	csrss.exe	36
PID 2620 wrote to memory of 2552	2620	csrss.exe	36
PID 2620 wrote to memory of 2552	2620	csrss.exe	36
PID 2620 wrote to memory of 2552	2620	csrss.exe	36
PID 2620 wrote to memory of 2552	2620	csrss.exe	36
PID 2620 wrote to memory of 2552	2620	csrss.exe	36
PID 2620 wrote to memory of 2552	2620	csrss.exe	36
PID 2620 wrote to memory of 2552	2620	csrss.exe	36
PID 2620 wrote to memory of 2552	2620	csrss.exe	36
PID 2552 wrote to memory of 2512	2552	csrss.exe	37
PID 2552 wrote to memory of 2512	2552	csrss.exe	37
PID 2552 wrote to memory of 2512	2552	csrss.exe	37
PID 2552 wrote to memory of 2512	2552	csrss.exe	37
PID 2552 wrote to memory of 2512	2552	csrss.exe	37
PID 2552 wrote to memory of 2512	2552	csrss.exe	37
PID 2552 wrote to memory of 2512	2552	csrss.exe	37
PID 2552 wrote to memory of 2512	2552	csrss.exe	37
PID 2552 wrote to memory of 2512	2552	csrss.exe	37
PID 2552 wrote to memory of 2512	2552	csrss.exe	37
PID 2552 wrote to memory of 2512	2552	csrss.exe	37

C:\Users\Admin\AppData\Local\Temp\662907af250ce1b95433642306c6b46a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\662907af250ce1b95433642306c6b46a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\662907af250ce1b95433642306c6b46a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\662907af250ce1b95433642306c6b46a_JaffaCakes118.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Users\Admin\AppData\Local\Temp\662907af250ce1b95433642306c6b46a_JaffaCakes118.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Nero" dir=in action=allow description="Multimedia suite" program="C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2904
  - - C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\662907af250ce1b95433642306c6b46a_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe
        
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0ac9365d5ee3fa2fb9ab0a0f54fb39f

SHA1
3791750b05c3b0da5f2dec5cbb66ec1f2017a7e9

SHA256
4fbf46b0d4b50fca0d571b8cde7b32a65ba45c039881af2bc3dedddcfb9fd965

SHA512
2dc604f4d402b61441625794f042db34c55aa94ba54add469371938244bf4e86edd7e1ec35a4bb4ac6251a4e0c9972178667f54a057acddc15cc01d30d0080bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4DA5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4EA2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\csrss.exe

Filesize
720KB

MD5
662907af250ce1b95433642306c6b46a

SHA1
87198f0f9514a74ab3001090f12e3608d3f3b3f4

SHA256
616a2c337fa6bfcdd71c6ce59b921d386fe0bc4da0f7c46c48a0b4391454b7b6

SHA512
d2edb042245098678e0046e79706e304726f8aec860a01c97730f0cbdaee619ee641ba9e0a2f71da0c08f07ed8b007131ad53fce4a38ceace8f5677fe58b6552

Download Submit
memory/1248-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1248-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2184-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2184-15-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2184-31-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2184-11-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2184-9-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2184-7-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2512-194-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2552-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads