821303f7b58dc753c603f72631b9900103b5bb549f362c9cdb0dbeea0fa77f83

General

Target

860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe
Size

40KB
MD5

860032b2fc215e7a236cc9d8d9ca18ef
SHA1

2ee07b79a21ddb5477aefbe8278c2768b915f585
SHA256

821303f7b58dc753c603f72631b9900103b5bb549f362c9cdb0dbeea0fa77f83
SHA512

f25a1879e748b5dfd720bfaceb8a15af3d81e519d81a0ec48c5786936aa0e9613413a8ab909e2c73ef6c55327df9015c087809fd37ae75d378f63ad357dcfaa3
SSDEEP

384:BQot15+qFW2JIdEsCk566MwqhZFy1SeKxdRlKDfnKDzL50:aotjTFWcFqY6MeSeCRSy+

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe,"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe,"	rundll32.exe

Deletes itself 1 IoCs

pid	Process
2440	rundll32.exe

Executes dropped EXE 3 IoCs

pid	Process
2440	rundll32.exe
1484	daemon.exe
2900	rundll32.exe

Loads dropped DLL 6 IoCs

pid	Process
2452	860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe
2452	860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe
2440	rundll32.exe
2440	rundll32.exe
1484	daemon.exe
1484	daemon.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\rundll32.exe	860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe
File opened for modification	C:\Windows\system.ini	rundll32.exe
File opened for modification	C:\Windows\Driver\daemon.exe	rundll32.exe
File opened for modification	C:\Windows\system.ini	daemon.exe
File created	C:\Windows\Driver\daemon.exe	rundll32.exe
File opened for modification	C:\Windows\system.ini	860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe
File created	C:\Windows\Driver\daemon.exe	rundll32.exe
File created	C:\Windows\system\rundll32.exe	daemon.exe
File opened for modification	C:\Windows\system.ini	rundll32.exe
File created	C:\Windows\system\rundll32.exe	860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daemon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2452	860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe
2440	rundll32.exe
1484	daemon.exe
2900	rundll32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2440	2452	860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe	31
PID 2452 wrote to memory of 2440	2452	860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe	31
PID 2452 wrote to memory of 2440	2452	860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe	31
PID 2452 wrote to memory of 2440	2452	860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe	31
PID 2452 wrote to memory of 2440	2452	860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe	31
PID 2452 wrote to memory of 2440	2452	860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe	31
PID 2452 wrote to memory of 2440	2452	860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe	31
PID 2440 wrote to memory of 1484	2440	rundll32.exe	32
PID 2440 wrote to memory of 1484	2440	rundll32.exe	32
PID 2440 wrote to memory of 1484	2440	rundll32.exe	32
PID 2440 wrote to memory of 1484	2440	rundll32.exe	32
PID 1484 wrote to memory of 2900	1484	daemon.exe	33
PID 1484 wrote to memory of 2900	1484	daemon.exe	33
PID 1484 wrote to memory of 2900	1484	daemon.exe	33
PID 1484 wrote to memory of 2900	1484	daemon.exe	33
PID 1484 wrote to memory of 2900	1484	daemon.exe	33
PID 1484 wrote to memory of 2900	1484	daemon.exe	33
PID 1484 wrote to memory of 2900	1484	daemon.exe	33

C:\Users\Admin\AppData\Local\Temp\860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\system\rundll32.exe
  "C:\Windows\system\rundll32.exe" -s
  2⤵
  - Modifies WinLogon for persistence
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\Driver\daemon.exe
    "C:\Windows\Driver\daemon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\system\rundll32.exe
      "C:\Windows\system\rundll32.exe" -s
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system.ini

Filesize
337B

MD5
774bf6697579d4cac3ef2b56c83f4919

SHA1
c833443f811cc89d37af2745565df038b707430f

SHA256
c06040a59b27b04fba709d59e1eff20974c908cbeb558bd18fff74e0384fd3c5

SHA512
7d2c382bc9522aca7eeffcfff80b51cb9550668a9fc3867c56e96706c72e32b1e31f0a6c39869a20081603bd3b6b52411294b5a36e6ec28368eb3066e2978e9a

Download Submit
C:\Windows\system.ini

Filesize
281B

MD5
21211668e2793528b64f523f335caf0f

SHA1
4684bfa3afc55b0ae206e531754d7897e07bb16d

SHA256
deac7251bcb8fdf99c1fdac356850fb5eba78a5031712c2259e3dbf0bd05005d

SHA512
29143ea057c864e59f1377af28b9252fb770ae5714e78687778039f0aa0d9ebb3306b484566a0e9da77f73e4d57884c634a6ced2026eec48c9bd3c104f7c6b5e

Download Submit
\Windows\system\rundll32.exe

Filesize
40KB

MD5
860032b2fc215e7a236cc9d8d9ca18ef

SHA1
2ee07b79a21ddb5477aefbe8278c2768b915f585

SHA256
821303f7b58dc753c603f72631b9900103b5bb549f362c9cdb0dbeea0fa77f83

SHA512
f25a1879e748b5dfd720bfaceb8a15af3d81e519d81a0ec48c5786936aa0e9613413a8ab909e2c73ef6c55327df9015c087809fd37ae75d378f63ad357dcfaa3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads