08bd4c6afb3cf682b949bc4b1853a2e98b14d37569dd61d21724e6cc0c75ef53

General

Target

ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe
Size

262KB
MD5

ee702697678035626ed75f89fa7bcdb5
SHA1

8f3a29e20470462d2cf1f66bcc14b6d90ebfc605
SHA256

08bd4c6afb3cf682b949bc4b1853a2e98b14d37569dd61d21724e6cc0c75ef53
SHA512

e23981d512c2892097d502cd9da929a34e9f2e824ccaaca5cb7c11bccb425f6a33247db042fb9cf9eb323e99909647312687234220ba759ab7014e81b2abffae
SSDEEP

6144:lqCbbe+R6SjMbnysLWN682NCYRDXlcTwgLnJF8UF7w68q5:pbe+IlbnBiNHYDVYwgLJFNF

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1568	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2552	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe
2552	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\5772ba9c = "C:\\Windows\\apppatch\\svchost.exe"	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\5772ba9c = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1568	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2552	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1568	2552	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe	30
PID 2552 wrote to memory of 1568	2552	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe	30
PID 2552 wrote to memory of 1568	2552	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe	30
PID 2552 wrote to memory of 1568	2552	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AppPatch\svchost.exe

Filesize
262KB

MD5
513d89736200a552b576cfd55d57ed4c

SHA1
1d9efb38307e71b433d2d927de37414a97e9cae2

SHA256
5e69c2a9a7664a3364b4011bac7a00ba95dbee06e9ccc478ab4e11add2bdec05

SHA512
0a2a28259c11cc074bea2de481220c2d01ff87f6fb3aa7a1edc063062f3c587e4cb1e0c4ef0be86a120451831180cad951145280bbb4eff5c98563622469dca6

Download Submit
memory/1568-36-0x00000000028A0000-0x000000000294B000-memory.dmp

Filesize
684KB

Download
memory/1568-45-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/1568-43-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1568-38-0x00000000028A0000-0x000000000294B000-memory.dmp

Filesize
684KB

Download
memory/1568-42-0x00000000028A0000-0x000000000294B000-memory.dmp

Filesize
684KB

Download
memory/1568-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1568-46-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/1568-47-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1568-21-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1568-22-0x00000000026C0000-0x000000000275C000-memory.dmp

Filesize
624KB

Download
memory/1568-28-0x00000000026C0000-0x000000000275C000-memory.dmp

Filesize
624KB

Download
memory/1568-33-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1568-32-0x00000000026C0000-0x000000000275C000-memory.dmp

Filesize
624KB

Download
memory/1568-34-0x00000000028A0000-0x000000000294B000-memory.dmp

Filesize
684KB

Download
memory/1568-30-0x00000000026C0000-0x000000000275C000-memory.dmp

Filesize
624KB

Download
memory/1568-26-0x00000000026C0000-0x000000000275C000-memory.dmp

Filesize
624KB

Download
memory/1568-24-0x00000000026C0000-0x000000000275C000-memory.dmp

Filesize
624KB

Download
memory/1568-49-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1568-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1568-50-0x0000000003D60000-0x0000000003D61000-memory.dmp

Filesize
4KB

Download
memory/1568-70-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

Filesize
4KB

Download
memory/1568-71-0x00000000028A0000-0x000000000294B000-memory.dmp

Filesize
684KB

Download
memory/1568-68-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

Filesize
4KB

Download
memory/1568-67-0x0000000003DD0000-0x0000000003DD1000-memory.dmp

Filesize
4KB

Download
memory/1568-63-0x0000000003DB0000-0x0000000003DB1000-memory.dmp

Filesize
4KB

Download
memory/1568-61-0x0000000003D90000-0x0000000003D91000-memory.dmp

Filesize
4KB

Download
memory/1568-60-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

Filesize
4KB

Download
memory/1568-57-0x0000000003D90000-0x0000000003D91000-memory.dmp

Filesize
4KB

Download
memory/1568-56-0x0000000003D80000-0x0000000003D81000-memory.dmp

Filesize
4KB

Download
memory/1568-54-0x0000000003D60000-0x0000000003D61000-memory.dmp

Filesize
4KB

Download
memory/1568-53-0x0000000003D70000-0x0000000003D71000-memory.dmp

Filesize
4KB

Download
memory/2552-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2552-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2552-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2552-18-0x0000000000240000-0x00000000002AC000-memory.dmp

Filesize
432KB

Download
memory/2552-19-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2552-1-0x0000000000240000-0x00000000002AC000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads