08bd4c6afb3cf682b949bc4b1853a2e98b14d37569dd61d21724e6cc0c75ef53

General

Target

ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe
Size

262KB
MD5

ee702697678035626ed75f89fa7bcdb5
SHA1

8f3a29e20470462d2cf1f66bcc14b6d90ebfc605
SHA256

08bd4c6afb3cf682b949bc4b1853a2e98b14d37569dd61d21724e6cc0c75ef53
SHA512

e23981d512c2892097d502cd9da929a34e9f2e824ccaaca5cb7c11bccb425f6a33247db042fb9cf9eb323e99909647312687234220ba759ab7014e81b2abffae
SSDEEP

6144:lqCbbe+R6SjMbnysLWN682NCYRDXlcTwgLnJF8UF7w68q5:pbe+IlbnBiNHYDVYwgLJFNF

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2920	svchost.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\ff61085e\desktop.ini	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ff700df1 = "C:\\Windows\\apppatch\\svchost.exe"	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ff700df1 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2920	svchost.exe
2920	svchost.exe
2920	svchost.exe
2920	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1496	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 2920	1496	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe	89
PID 1496 wrote to memory of 2920	1496	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe	89
PID 1496 wrote to memory of 2920	1496	ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee702697678035626ed75f89fa7bcdb5_JaffaCakes118.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Modifies WinLogon
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4608,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3264 /prefetch:8
1⤵
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apppatch\svchost.exe

Filesize
262KB

MD5
f674b597d674621d7e5f25ca1191a973

SHA1
1e7d38a99c669177c93ff7e04001959a878e8775

SHA256
b57344400ec4a4fd1be87577f31131dc689b081d0958180f51916679dc47bd5f

SHA512
a8140b50b8baf8a14f8d1f165832e63fb7a1f69b9dad052232603a4522cc043c1d256b688d4c6b30e4e3f8c062b140fb2844068d40a67b96e7f8972b53753f7a

Download Submit
memory/1496-15-0x0000000002200000-0x000000000226C000-memory.dmp

Filesize
432KB

Download
memory/1496-1-0x0000000002200000-0x000000000226C000-memory.dmp

Filesize
432KB

Download
memory/1496-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1496-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1496-14-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1496-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2920-56-0x0000000002BA0000-0x0000000002C4B000-memory.dmp

Filesize
684KB

Download
memory/2920-48-0x0000000003C70000-0x0000000003C71000-memory.dmp

Filesize
4KB

Download
memory/2920-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2920-18-0x0000000002A00000-0x0000000002A9C000-memory.dmp

Filesize
624KB

Download
memory/2920-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2920-20-0x0000000002BA0000-0x0000000002C4B000-memory.dmp

Filesize
684KB

Download
memory/2920-22-0x0000000002BA0000-0x0000000002C4B000-memory.dmp

Filesize
684KB

Download
memory/2920-24-0x0000000002BA0000-0x0000000002C4B000-memory.dmp

Filesize
684KB

Download
memory/2920-28-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

Filesize
4KB

Download
memory/2920-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2920-55-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

Filesize
4KB

Download
memory/2920-53-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/2920-52-0x0000000003C90000-0x0000000003C91000-memory.dmp

Filesize
4KB

Download
memory/2920-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2920-46-0x0000000003C50000-0x0000000003C51000-memory.dmp

Filesize
4KB

Download
memory/2920-45-0x0000000003C60000-0x0000000003C61000-memory.dmp

Filesize
4KB

Download
memory/2920-42-0x0000000003C50000-0x0000000003C51000-memory.dmp

Filesize
4KB

Download
memory/2920-41-0x0000000003C40000-0x0000000003C41000-memory.dmp

Filesize
4KB

Download
memory/2920-39-0x0000000003C20000-0x0000000003C21000-memory.dmp

Filesize
4KB

Download
memory/2920-38-0x0000000003C30000-0x0000000003C31000-memory.dmp

Filesize
4KB

Download
memory/2920-35-0x0000000003C20000-0x0000000003C21000-memory.dmp

Filesize
4KB

Download
memory/2920-34-0x0000000003C10000-0x0000000003C11000-memory.dmp

Filesize
4KB

Download
memory/2920-32-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

Filesize
4KB

Download
memory/2920-31-0x0000000003C00000-0x0000000003C01000-memory.dmp

Filesize
4KB

Download
memory/2920-30-0x0000000003C00000-0x0000000003C01000-memory.dmp

Filesize
4KB

Download
memory/2920-27-0x0000000002BA0000-0x0000000002C4B000-memory.dmp

Filesize
684KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads