a956be80bde1f5b83c1833fd34ab2f98ee25ae6ffce54a67cbee89099f0fab52

Analysis

max time kernel
148s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 23:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
Size

529KB
MD5

d547306a9fe2b6e8d9c67b3d2d30fa86
SHA1

2e72e74504fa4cc4761027864fe5796bad49bb58
SHA256

a956be80bde1f5b83c1833fd34ab2f98ee25ae6ffce54a67cbee89099f0fab52
SHA512

2f7c4ce5fd5b9057b7554b909168b29f7169ffca09790f74ec3ec79cb8bd62de68587ccd7e8da951b3d03233b59a2bda3cec092443544a2dc541562f97c95d3f
SSDEEP

12288:51bb/fuGCyf9YuXoK+cBe5TuSbHTnFL+kjoPbk+5+I:51brCA9ZYKdBQu6HTFL+kw5n

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\initial_prefere.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\createdump.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\createdump.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\mip.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXBA2F.tmp	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXBA0F.tmp	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d547306a9fe2b6e8d9c67b3d2d30fa86_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\java-rmi.exe

Filesize
75KB

MD5
0b37e6ebc5f905b0ffc16c775933f0b8

SHA1
c456d32924524b9d5d3fe7029e8ccdce12baa880

SHA256
0827d2ca7188534527f1fbd30c5333b8ceeb5a0be8bfa6c5aa26703f2ac54da3

SHA512
58fb97ae2e6536660ac589520618696842b9b06b27c7afb7e0231a3d193b955e7f22795129fe8d53ed681e94353bac3e1a16a8763d99dc26bfcdd268c338a5d2

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
529KB

MD5
d547306a9fe2b6e8d9c67b3d2d30fa86

SHA1
2e72e74504fa4cc4761027864fe5796bad49bb58

SHA256
a956be80bde1f5b83c1833fd34ab2f98ee25ae6ffce54a67cbee89099f0fab52

SHA512
2f7c4ce5fd5b9057b7554b909168b29f7169ffca09790f74ec3ec79cb8bd62de68587ccd7e8da951b3d03233b59a2bda3cec092443544a2dc541562f97c95d3f

Download Submit
memory/468-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/468-25-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/468-20-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/468-21-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/468-22-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/468-23-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/468-18-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/468-19-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/468-26-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/468-28-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/468-29-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/468-48-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/468-17-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/468-102-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads