536277b88cc12f7ceba1b706209cbd49ad8ac4bb6530c20c5afbb2f116ff9750

General

Target

ece4b7bfe469bf0f30029bcbcf9bb520_JaffaCakes118.exe
Size

472KB
MD5

ece4b7bfe469bf0f30029bcbcf9bb520
SHA1

adf241afb85aa339a4037e4d1645042a810c5e8e
SHA256

536277b88cc12f7ceba1b706209cbd49ad8ac4bb6530c20c5afbb2f116ff9750
SHA512

7274c260558a194d63b70e23d6464bcf9b852207f66a09da4d3551131f70cc6414a335080e556e4ccb986f3bdd7ffbeae4e6e702a7c752c209d603b18f16248e
SSDEEP

6144:mPhmDTfL0IPDnlI1iTNndjjRrJlybvOIEbuUkblgqp5kAUk/:aqTQIblmsHRrJlyb2IEbubbvnUk/

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\WINDOWS\\csrss.exe"	tmp.exe

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	tmp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	tmp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\csrss.exe = "C:\\WINDOWS\\winlogon.exe"	tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3588	tmp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mswinlogon = "C:\\WINDOWS\\mscsrss.exe"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\systemupdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp.exe"	tmp.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\MSWINSCK.OCX	tmp.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	ece4b7bfe469bf0f30029bcbcf9bb520_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3588	tmp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 3588	2260	ece4b7bfe469bf0f30029bcbcf9bb520_JaffaCakes118.exe	82
PID 2260 wrote to memory of 3588	2260	ece4b7bfe469bf0f30029bcbcf9bb520_JaffaCakes118.exe	82
PID 2260 wrote to memory of 3588	2260	ece4b7bfe469bf0f30029bcbcf9bb520_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\ece4b7bfe469bf0f30029bcbcf9bb520_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ece4b7bfe469bf0f30029bcbcf9bb520_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  C:\Users\Admin\AppData\Local\Temp\tmp.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies firewall policy service
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
220KB

MD5
cada83db12edf977fda95c15c9e0db09

SHA1
a5820e6b2bfc7d58054781ea4b3007dadcdec59b

SHA256
a5ac2a3fc57336eb15032472a443b46d25e6e161ebdcb100740d773908065e1a

SHA512
08e0ec5a55d394c3f1eef87c079d652b991b29bf43d7e85df5f2b2bf7a094eaa355ec9099026988ff4cf7a71b56aed55fb38c58f3ddeec2004061b8b970683bf

Download Submit
memory/2260-0-0x00007FFB52195000-0x00007FFB52196000-memory.dmp

Filesize
4KB

Download
memory/2260-1-0x000000001BF10000-0x000000001BFB6000-memory.dmp

Filesize
664KB

Download
memory/2260-2-0x00007FFB51EE0000-0x00007FFB52881000-memory.dmp

Filesize
9.6MB

Download
memory/2260-3-0x00007FFB51EE0000-0x00007FFB52881000-memory.dmp

Filesize
9.6MB

Download
memory/2260-4-0x000000001C490000-0x000000001C95E000-memory.dmp

Filesize
4.8MB

Download
memory/2260-5-0x000000001CA50000-0x000000001CAEC000-memory.dmp

Filesize
624KB

Download
memory/2260-6-0x0000000001900000-0x0000000001908000-memory.dmp

Filesize
32KB

Download
memory/2260-7-0x000000001CBB0000-0x000000001CBFC000-memory.dmp

Filesize
304KB

Download
memory/2260-19-0x00007FFB51EE0000-0x00007FFB52881000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads