1a78b6a8273f5f50e029053a4e5b0fb124f730ddb675257581ef0e531495c270

General

Target

ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe
Size

21KB
MD5

ea61e8d74f76bdeacf57ce8e912d3983
SHA1

93a742cea984eb31e7765a71cc4e75ee80af94c4
SHA256

1a78b6a8273f5f50e029053a4e5b0fb124f730ddb675257581ef0e531495c270
SHA512

03bc938545582ef7808bcebb580a432265ed463c50ed947863b4356be7c841ca68becdbd49f3f1528f3ce28a0af94353d7b608c5dae34b91a227c90eb05d2b7b
SSDEEP

384:9eJUzTNMpBiVMZq7BPxQU82+oPpq2uMdOYMSdKAbS0:PzTNMpuMw1ZQx2uMH

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\	ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe:*:Enabled:explorer"	ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000012117-2.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2420	ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zopenssl\MaxWait = "1"	ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zopenssl\nk48id = "[C319EC6A64B37E374]"	ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zopenssl	ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zopenssl\DllName = "zopenssl.dll"	ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zopenssl\Startup = "zopenssl"	ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zopenssl\Impersonate = "1"	ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zopenssl\Asynchronous = "1"	ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zopenssl.dll	ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zopenssld.sys	ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2420	ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1212	2420	ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ea61e8d74f76bdeacf57ce8e912d3983_JaffaCakes118.exe"
  2⤵
  - Modifies firewall policy service
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\zopenssl.dll

Filesize
16KB

MD5
0bac3a3e3933766def6abcc88fa10d7d

SHA1
4a11031169805c9e954fc4e1c50ddb3d82429bb4

SHA256
ce35eefdd1df20b8f34f4d95ce6f83c4167cc47d09f5a23c82de8e25d28e9d16

SHA512
dbd105a7849a7030039ab32ec819a3d9d8e6f1f6d5aea9b61efe5e1bd6a194025c39d56cad1d97c74251c5f85fd96f676374a224f7436c1b9ae0435b0a3ac09d

Download Submit
memory/1212-5-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/2420-6-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2420-7-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2420-8-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads