228a1ef3d03cadcb4fa2907dbb981833e228432a620dca2a59e771c3262af2b5

General

Target

b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe
Size

338KB
MD5

b9bfecb04240ac8d81ac25cffc179b21
SHA1

a73b40a282efe4bb2925b0eace7eb8f3f25025b1
SHA256

228a1ef3d03cadcb4fa2907dbb981833e228432a620dca2a59e771c3262af2b5
SHA512

62dfa9c0e4c76cd4e7e1c6378ba959329447ea297810b5c49216ff57954f8c486fb1aa5dd3285ed611b4f27438441ae2ff3121066fce5c89b71d50ec4f18d8d4
SSDEEP

6144:GUm8d76JhYzQUOXFb7z9U7RQKIYdu0V/mj7rcS6WlsQpEC:GU96JizOZO7Rv580hmj76QpZ

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\455ed245\\X"	Explorer.EXE

Deletes itself 1 IoCs

pid	Process
2680	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
332	csrss.exe
2760	X

Loads dropped DLL 2 IoCs

pid	Process
1932	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe
1932	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1932 set thread context of 2680	1932	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{3daf8f03-d9d1-0942-2465-01e72a270774}	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3daf8f03-d9d1-0942-2465-01e72a270774}\u = "71"	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3daf8f03-d9d1-0942-2465-01e72a270774}\cid = "8937181324226665466"	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1932	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe
1932	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe
1932	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe
2760	X

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe
Token: SeDebugPrivilege	1932	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 332	1932	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe	2
PID 332 wrote to memory of 3052	332	csrss.exe	30
PID 332 wrote to memory of 3052	332	csrss.exe	30
PID 1932 wrote to memory of 2760	1932	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe	31
PID 1932 wrote to memory of 2760	1932	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe	31
PID 1932 wrote to memory of 2760	1932	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe	31
PID 1932 wrote to memory of 2760	1932	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe	31
PID 2760 wrote to memory of 1228	2760	X	21
PID 1932 wrote to memory of 2680	1932	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe	32
PID 1932 wrote to memory of 2680	1932	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe	32
PID 1932 wrote to memory of 2680	1932	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe	32
PID 1932 wrote to memory of 2680	1932	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe	32
PID 1932 wrote to memory of 2680	1932	b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe	32

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
PID:1228
- C:\Users\Admin\AppData\Local\Temp\b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b9bfecb04240ac8d81ac25cffc179b21_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\455ed245\X
    193.105.154.210:80
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2680

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\455ed245\@

Filesize
2KB

MD5
63e226f7344e42bed01f4e4b08220b45

SHA1
6ac6afee7b99704a9f904faf575794c78847510f

SHA256
1cc9da30bb32667e54c59bde83ba170d7a46c1ec767ac700c62ba9622bb5cbf1

SHA512
5b65160626d349904902b956afe149393f6efdef30bf5331801e07488c663ff87ab9ab0bbd754b5edb0d186d6f810391d72c2f74a0fb91c68274c8c8300db8ea

Download Submit
\Users\Admin\AppData\Local\455ed245\X

Filesize
41KB

MD5
686b479b0ee164cf1744a8be359ebb7d

SHA1
8615e8f967276a85110b198d575982a958581a07

SHA256
fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b

SHA512
7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64

Download Submit
\Windows\System32\consrv.dll

Filesize
31KB

MD5
dafc4a53954b76c5db1d857e955f3805

SHA1
a18fa0d38c6656b4398953e77e87eec3b0209ef3

SHA256
c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b

SHA512
745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
8c80e0838adf104269fc0986fb5d7fba

SHA1
38f173cc9a3e3cfe015adb45b3dfa0ae29548482

SHA256
50246db823c45f874a60b2deed71d207a2f72c773a513f2b1caa8948f2536b54

SHA512
64a3e36c33028ddbe4ef0d8d4da300e7abe6bfa9060a4f107135de6417d08beda40e0a14a79163133c53926d13617f2bc7e307d108149f41cb2997bdca582b6f

Download Submit
memory/332-18-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/332-17-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/332-19-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/332-22-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/1228-39-0x0000000002B50000-0x0000000002B58000-memory.dmp

Filesize
32KB

Download
memory/1228-36-0x0000000002B60000-0x0000000002B6B000-memory.dmp

Filesize
44KB

Download
memory/1228-46-0x0000000002B70000-0x0000000002B7B000-memory.dmp

Filesize
44KB

Download
memory/1228-41-0x0000000002B60000-0x0000000002B6B000-memory.dmp

Filesize
44KB

Download
memory/1228-42-0x0000000002B70000-0x0000000002B7B000-memory.dmp

Filesize
44KB

Download
memory/1228-32-0x0000000002B60000-0x0000000002B6B000-memory.dmp

Filesize
44KB

Download
memory/1932-9-0x0000000001D50000-0x0000000001D7C000-memory.dmp

Filesize
176KB

Download
memory/1932-1-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1932-3-0x0000000001D50000-0x0000000001D7C000-memory.dmp

Filesize
176KB

Download
memory/1932-13-0x0000000000400000-0x0000000000460208-memory.dmp

Filesize
384KB

Download
memory/1932-2-0x0000000000400000-0x0000000000460208-memory.dmp

Filesize
384KB

Download
memory/1932-45-0x0000000000400000-0x0000000000460208-memory.dmp

Filesize
384KB

Download
memory/1932-20-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1932-49-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1932-50-0x0000000000400000-0x0000000000460208-memory.dmp

Filesize
384KB

Download
memory/1932-6-0x0000000001D50000-0x0000000001D7C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads