cd3f9d23719231cd510b252746d34f798e6214132282b5d1c6107af281765fe1

General

Target

eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe
Size

304KB
MD5

eed545a854ece23d746a0e6a89bc72d9
SHA1

0a271ecc7db5f0bf3151a455bac335b43d350682
SHA256

cd3f9d23719231cd510b252746d34f798e6214132282b5d1c6107af281765fe1
SHA512

6dc49d713e317d1f91b6abd7d554cf611111629cc250ce909537333d99f778a56fede14b5a3a1a98d9ba9531618e596e4b8bb4c5d8f60d89ab51142e3bc0a47e
SSDEEP

6144:GA7TgGATIr4tccyvkhznX75wS5f8evpmu:b7ATIMbnwg4

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe,C:\\Arquivos de programas\\DtSLLuqn.exe"	eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\OptionalComponents	eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN	eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\OptionalComponents\MSFS	eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\OptionalComponents\MAPI	eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\OptionalComponents\IMAIL	eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	sites.google.com
8	sites.google.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\winlogn.ini	eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe
File created	C:\WINDOWS\system\log.ini	eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1456	eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\log.ini

Filesize
476KB

MD5
c1b01e45f9e98c7da889fd4fbe51beb7

SHA1
478b7828faacbe1956f6efafb89ecc0e4b27f8f6

SHA256
dbc21a49e318aec1bfbc03f700344aa16edf7a806462f780d7937dc3142402d7

SHA512
eb50e05421d439dd2f8bf1dd372acf031e081cbdb87468e206b678c30a67ced4a22be82af406464e86ed4534619c37a1789eb9802067c99834325b9c5767aca0

Download Submit
memory/1456-38-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1456-41-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1456-33-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1456-34-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1456-35-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1456-36-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1456-3-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1456-39-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1456-37-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1456-40-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1456-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1456-42-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1456-43-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1456-44-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1456-45-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads