03caa0fa6511285c1ea9f521a3280cd30c45e0a4aed468e0c7cebdcbe7badadd

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
Size

70KB
MD5

d2c5a921011b608ebee1a5f5e025cf4d
SHA1

15540b4ced644cf799af4cfa21a604089b8a9984
SHA256

03caa0fa6511285c1ea9f521a3280cd30c45e0a4aed468e0c7cebdcbe7badadd
SHA512

2e0ea62d8d16ab50da6bbea5be5179856d40d6c5c61a0f265b5bbe8c5d7831d098622c661ae0ba763a23c23a02f480020d5f01ba4d061440eea7dc8003fc3597
SSDEEP

1536:4aiqH1s+kCtrA2UMT0mTFibDKa1XECrvm:51B31bdBob2QXC

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXEA15.tmp	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXE995.tmp	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXE9F5.tmp	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaws.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXE9B5.tmp	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXEA35.tmp	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXEA74.tmp	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCXE995.tmp

Filesize
62KB

MD5
c28efdd834ed453de90e550a8052f4b6

SHA1
1b4bd9e6b5254afdffa1d67e4f7f41fd320baee3

SHA256
ef1d62466f858e8f95d22c09679542c14ed2e711b64c7c75f5dd9edbd6da0ce3

SHA512
650ddc81119bf722a1af9ad01b5b76997b7cdcd075ea1a34f60ddc14902f1d0238eb8c272e83cefa2ee9f840097daedbe230049a1e7a7c1427ab9fcab30c1d47

Download Submit
C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe

Filesize
70KB

MD5
d2c5a921011b608ebee1a5f5e025cf4d

SHA1
15540b4ced644cf799af4cfa21a604089b8a9984

SHA256
03caa0fa6511285c1ea9f521a3280cd30c45e0a4aed468e0c7cebdcbe7badadd

SHA512
2e0ea62d8d16ab50da6bbea5be5179856d40d6c5c61a0f265b5bbe8c5d7831d098622c661ae0ba763a23c23a02f480020d5f01ba4d061440eea7dc8003fc3597

Download Submit
memory/1952-118-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1952-119-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1952-114-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1952-115-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1952-116-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1952-117-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1952-112-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1952-113-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1952-120-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1952-121-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1952-122-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1952-123-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1952-124-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1952-125-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads