03caa0fa6511285c1ea9f521a3280cd30c45e0a4aed468e0c7cebdcbe7badadd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
Size

70KB
MD5

d2c5a921011b608ebee1a5f5e025cf4d
SHA1

15540b4ced644cf799af4cfa21a604089b8a9984
SHA256

03caa0fa6511285c1ea9f521a3280cd30c45e0a4aed468e0c7cebdcbe7badadd
SHA512

2e0ea62d8d16ab50da6bbea5be5179856d40d6c5c61a0f265b5bbe8c5d7831d098622c661ae0ba763a23c23a02f480020d5f01ba4d061440eea7dc8003fc3597
SSDEEP

1536:4aiqH1s+kCtrA2UMT0mTFibDKa1XECrvm:51B31bdBob2QXC

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXFE75.tmp	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\initial_prefere.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\mip.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\createdump.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\createdump.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXFE26.tmp	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSE.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXFE86.tmp	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2c5a921011b608ebee1a5f5e025cf4d_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\java.exe

Filesize
62KB

MD5
45e8ad7ee42c18656a782b70c0c36038

SHA1
028a6b5eb5c6eedd6d5444a1bf61da5a0e5826ef

SHA256
cb704143c4b02f5b06540de294e4cde871a3184982f9bbbd3d0fc3dd67af6ecd

SHA512
5dbc2984666c32c2c294323d401a60829413494f9b75387052c659d518d6bd4384535a8c38be2a36e8d2eacbe23b589f88619de947dcb4baf1516c04eac94e2b

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
684KB

MD5
a00291a0938e980e883649f363531634

SHA1
c25e58d888a29c6555eee49ce4581a7e15cdc915

SHA256
4dde39271c5dc20a8b39849a4a6c98360b7eb7bcfb2bd6dbd9dd1a5e87d605a8

SHA512
9addf87e71904b34c2108d2a6a0dfde65f34e1ae331dceca2aaea00ac06bdbae55b1abbaa8f488e22a2e3ca42be7e5d2ff512fcf7de4f340724477983d48ed1b

Download Submit
memory/4544-95-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4544-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4544-93-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4544-94-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4544-19-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4544-96-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4544-97-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4544-98-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4544-99-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4544-100-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4544-101-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4544-102-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads