43829e246dd04336968552b496bb3ddfaa6847e8d296e42ae3a9fe2dfad91e06

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
Size

2.3MB
MD5

0185bbadaecfaf35d399f198d302a77c
SHA1

0530f5aff3cc71331d58aad927ad4abf10b14444
SHA256

43829e246dd04336968552b496bb3ddfaa6847e8d296e42ae3a9fe2dfad91e06
SHA512

590063f749c08b54d043769d845e91e374bc8aebcf330d12efb254d8d541fc81323dae603b1e1c733e97033f85dc728381787b0de28d94a7f691b8630f9751a8
SSDEEP

49152:5CLDqigMXSNZQD5j3cLfkkKSalp4+Z/FPnWnLvJ3+EdBy0SWjuDR:ZxMXSNZQFcxgdtPn6xLBy1quDR

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX1D8F.tmp	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX1DAF.tmp	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX1DCF.tmp	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX1E11.tmp	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaws.exe	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX1DEF.tmp	0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0185bbadaecfaf35d399f198d302a77c_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\idlj.exe

Filesize
75KB

MD5
f35c0109abb91e6e118bd9ad2fbafa78

SHA1
74290ff5b82ec24f36d7579a198349fdad7dc76a

SHA256
4b99b234713c443ae5b57eae9fada3267bd4a36f06e16f9bee82249b91d747cf

SHA512
e9f8a42df9d30c2fb3f7efa6705dea8e10479e9d85df45ebd9678953ed79654c576d909c794c83694280b233d404b8df85f1a1d6571ec4c5199ca3c625ac79c9

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
2.3MB

MD5
0185bbadaecfaf35d399f198d302a77c

SHA1
0530f5aff3cc71331d58aad927ad4abf10b14444

SHA256
43829e246dd04336968552b496bb3ddfaa6847e8d296e42ae3a9fe2dfad91e06

SHA512
590063f749c08b54d043769d845e91e374bc8aebcf330d12efb254d8d541fc81323dae603b1e1c733e97033f85dc728381787b0de28d94a7f691b8630f9751a8

Download Submit
memory/2760-115-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2760-116-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2760-111-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2760-112-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2760-113-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2760-114-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2760-109-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2760-110-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2760-117-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2760-118-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2760-119-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2760-120-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2760-121-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2760-122-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads