4028c58dc2e2004bbed97de7bad99898cc5971cd7e56ec0c320fa2e2703b7ecc

General

Target

76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe
Size

674KB
MD5

76052d4b85ec76db757eb6b4d7587fba
SHA1

a7cbdc3ec66ae4f285d754df0b88f23c28b8cf4b
SHA256

4028c58dc2e2004bbed97de7bad99898cc5971cd7e56ec0c320fa2e2703b7ecc
SHA512

9d61665165fa1b4163c54ee2196895b32466fe6db1e23586535ad36acb9fb64fa9dd7dd153a02a1b44277d593eec9e96ddbfe25c1084601c4cb8470d4de9f732
SSDEEP

12288:COwT6AVg9jzrpMPSK3+laYSnjj2FsgYSqKZdb/MJtptHmGgRC5IGxtIXc3AQ:6T6eaK3y9Sn32lYSJAVtGGgRCKgtIXcD

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\PROGRA~1\\COMMON~1\\Microsoft\\CTHELPER.EXE"	CTHELPER.EXE

Executes dropped EXE 1 IoCs

pid	Process
3040	CTHELPER.EXE

Loads dropped DLL 4 IoCs

pid	Process
3012	76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe
3012	76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe
3012	76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe
3040	CTHELPER.EXE

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\com.run	76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe
File created	C:\Program Files\Common Files\res\tc1.tmp	CTHELPER.EXE
File created	C:\Program Files\Common Files\mi.g	CTHELPER.EXE
File created	C:\Program Files\Common Files\Microsoft\com.run	76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe
File created	C:\Program Files\Common Files\res\tc2.tmp	CTHELPER.EXE
File created	C:\Program Files\Common Files\res\tc4.tmp	CTHELPER.EXE
File opened for modification	C:\Program Files\Common Files\onceagain.sc	CTHELPER.EXE
File created	C:\Program Files\Common Files\Microsoft\krnln.fnr	76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Storeymyadmin.exe	76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe
File created	C:\Program Files\Common Files\krnln.fnr	76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\cVer.ini	CTHELPER.EXE
File created	C:\Program Files\Common Files\Microsoft\Storeymyadmin.exe	76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\krnln.fnr	76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe
File created	C:\Program Files\Common Files\res\tc3.tmp	CTHELPER.EXE
File created	C:\Program Files\Common Files\onceagain.sc	CTHELPER.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTHELPER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3040	CTHELPER.EXE
3040	CTHELPER.EXE
3040	CTHELPER.EXE
3040	CTHELPER.EXE
3040	CTHELPER.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3012	76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe
3012	76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe
3012	76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe
3040	CTHELPER.EXE
3040	CTHELPER.EXE
3040	CTHELPER.EXE
3040	CTHELPER.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 3040	3012	76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe	29
PID 3012 wrote to memory of 3040	3012	76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe	29
PID 3012 wrote to memory of 3040	3012	76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe	29
PID 3012 wrote to memory of 3040	3012	76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76052d4b85ec76db757eb6b4d7587fba_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Program Files\Common Files\CTHELPER.EXE
  "C:\Program Files\Common Files\CTHELPER.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft\cVer.ini

Filesize
68B

MD5
f098b2fc2d4cdbc9266f006c4a0cd049

SHA1
a85348a2e6aef5515bdbb017177d152d761f99e0

SHA256
b45dee154cb2e6408219462e79c90eecc77d785f452fed0dba37360302f5920a

SHA512
f3ed513c43bc16cad24ace7ffbeee14220eeae01ce59b20697afea5709854e4579b8ee423941a2ecacc11a79717fc607c87cce2e7a35ecaf5352e3ae54184ebf

Download Submit
C:\Program Files\Common Files\Microsoft\cVer.ini

Filesize
68B

MD5
b7f13f2180966960fef6ac625d35b3bb

SHA1
c2a2b1e7c15e344f6d9279ec2d4358b7d5c09450

SHA256
ce5e8b7472983e544d5688b2a2fd79269fadb1cbff672af8afd9bf61d6060fa0

SHA512
44be74dfa5b1877b0880990b5a0088ee912b4a300c38a02d2982fae54bded6b3ee34e344eb721e63dc9c908e92f6bd08e7f35bfd0a3f187f81c00432541b88a7

Download Submit
C:\Program Files\Common Files\Microsoft\cVer.ini

Filesize
58B

MD5
cdceeceee6fed31fe739fa9f3e995fe0

SHA1
c18060df86d2f0b6129dba8ed965dc8c7fb2aa55

SHA256
9b16f939608d7d8ec3d7c78a28b91d59bd4401a5f86f9899ebce6c7d9bad8f1a

SHA512
4d46cb1eceb00dd4fca14dff0b08ed0b2fefca1024593ad06df07e239638788040032f8d7de80e2a1764d7199ac3ed80cb810cdf1bcf3f93b864b554768c4c30

Download Submit
C:\Program Files\Common Files\Microsoft\cVer.ini

Filesize
68B

MD5
72331e0cd08314bbe5a8a90893b5f73b

SHA1
9eec5356b589a18450a34d39745594e0343aa82f

SHA256
85cc23968ea393f9f96a8707e3aa2aa3de0fff346f5335282e046aad5d17dc92

SHA512
ab110d744d538d70f314cf3dd8b80fe4e4c865458711ab2df66ca5f48a64e8e76a72cab0dc2a18a0919321da15bbe302789163bcc3122caf0ca124d22dbf3c00

Download Submit
\Program Files\Common Files\CTHELPER.EXE

Filesize
963KB

MD5
2e7cc8e7e4e36bc31a2cc09f0f445b3d

SHA1
0a045862bf411a6bfb08b15c74a88ecc72059fe3

SHA256
1dc4b72256b8675bd04ba68e9c3979b1e4bb511d9cf959bcdfa7a184ab06ccbd

SHA512
64ddca2942454fb2e2f8197d13679d8f1ab7aa9b6e7a33745dfaf69abcb57f39927c09218d3e871ea04478521782aab3f4ef7965e9699357c363be999858f765

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
378KB

MD5
aaf112c6e858ed3fd8d2132cc60bf8c8

SHA1
c0b9c27c14de77ac78f6dbc8cba1ae403d82cf7c

SHA256
42f6867590e93aee0c7723802b771981c2b01f95e611e2e4691eb1af2353863f

SHA512
cc8ec3f9e2f06df2b66477f5a4b70fc8e6d6977ca997091d6dc853dcf8e13d4f2a14668e12c1907541660f43ac93c7e3f10b3a17c09ab909fa18d42ef762a245

Download Submit
memory/3012-0-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/3012-33-0x0000000002650000-0x0000000002744000-memory.dmp

Filesize
976KB

Download
memory/3012-37-0x0000000002650000-0x0000000002744000-memory.dmp

Filesize
976KB

Download
memory/3012-6-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/3012-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3012-46-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/3012-47-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/3012-7-0x0000000000320000-0x0000000000322000-memory.dmp

Filesize
8KB

Download
memory/3012-2-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/3040-38-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/3040-59-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/3040-66-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/3040-57-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/3040-74-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/3040-56-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/3040-82-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/3040-36-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/3040-90-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads