cbb650609d72599b828c8ebe852de0cb8d77d2dee6babef908f825acb013dbd8

General

Target

d30f0ae35380dc665364cd70fa513760_JaffaCakes118.exe
Size

320KB
MD5

d30f0ae35380dc665364cd70fa513760
SHA1

e80ce0e67ef73b8852df9423fbc3f658f0e27ad5
SHA256

cbb650609d72599b828c8ebe852de0cb8d77d2dee6babef908f825acb013dbd8
SHA512

1ef56f46d8630685c4bf512faa25510c0271f2f8ea4adbaed230ac3412cae03935230b616090c72a4c7fc9e504a6e6e8760fe7e2943eda8038df95dc6f1d8b2f
SSDEEP

3072:3l9yyAOJL+eyLhqzMmp/E9zkI4RkxHrBaWfYgaaHEl9pp4S8L+s6:3BE9zkI4RkxHrBaWfphEl9pp4S8LL

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Windows\\csrss.exe,"	csrss.exe

Executes dropped EXE 1 IoCs

pid	Process
2060	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2060 set thread context of 2424	2060	csrss.exe	31

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\csrss.exe	d30f0ae35380dc665364cd70fa513760_JaffaCakes118.exe
File opened for modification	C:\Windows\csrss.exe	d30f0ae35380dc665364cd70fa513760_JaffaCakes118.exe
File opened for modification	C:\Windows\csrss.exe	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d30f0ae35380dc665364cd70fa513760_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2672	d30f0ae35380dc665364cd70fa513760_JaffaCakes118.exe
Token: SeShutdownPrivilege	2060	csrss.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2672	d30f0ae35380dc665364cd70fa513760_JaffaCakes118.exe
2060	csrss.exe
2060	csrss.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2060	2672	d30f0ae35380dc665364cd70fa513760_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2060	2672	d30f0ae35380dc665364cd70fa513760_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2060	2672	d30f0ae35380dc665364cd70fa513760_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2060	2672	d30f0ae35380dc665364cd70fa513760_JaffaCakes118.exe	30
PID 2060 wrote to memory of 2424	2060	csrss.exe	31
PID 2060 wrote to memory of 2424	2060	csrss.exe	31
PID 2060 wrote to memory of 2424	2060	csrss.exe	31
PID 2060 wrote to memory of 2424	2060	csrss.exe	31
PID 2060 wrote to memory of 2424	2060	csrss.exe	31
PID 2060 wrote to memory of 2424	2060	csrss.exe	31
PID 2060 wrote to memory of 2424	2060	csrss.exe	31
PID 2060 wrote to memory of 2424	2060	csrss.exe	31
PID 2060 wrote to memory of 2424	2060	csrss.exe	31

C:\Users\Admin\AppData\Local\Temp\d30f0ae35380dc665364cd70fa513760_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d30f0ae35380dc665364cd70fa513760_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\csrss.exe
  C:\Windows\csrss.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\System32\explorer.exe ~pers~C:\Windows\csrss.exe~
    3⤵
    PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\csrss.exe

Filesize
320KB

MD5
d30f0ae35380dc665364cd70fa513760

SHA1
e80ce0e67ef73b8852df9423fbc3f658f0e27ad5

SHA256
cbb650609d72599b828c8ebe852de0cb8d77d2dee6babef908f825acb013dbd8

SHA512
1ef56f46d8630685c4bf512faa25510c0271f2f8ea4adbaed230ac3412cae03935230b616090c72a4c7fc9e504a6e6e8760fe7e2943eda8038df95dc6f1d8b2f

Download Submit
memory/2424-12-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2424-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2424-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2424-22-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2424-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads