45379b2a4ab8f51a5c3317273dbe29a159f70f6d84739b5a3d8dc27c25a02d18

General

Target

f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Size

157KB
MD5

f67fb6e8560fbd1130f21cb4726c3d8b
SHA1

bdf8f804a26b6470c0026d2617a92195f6cea4f8
SHA256

45379b2a4ab8f51a5c3317273dbe29a159f70f6d84739b5a3d8dc27c25a02d18
SHA512

28eea5780818a4abb967e95b6b6c56003122d549f2ed4ba2804c0f47bcd99cd9e4f10110e4026deba2c0cd8407ccd19a66ae2a6b837be040af4b764cee3c1fbe
SSDEEP

3072:6j9mD4Pa78AgZUUeXUbsCDUOBYJwyrN/sVywaEj1UszBt:6jYD4PawAJ1U4CDU3nh9wv1UABt

Score

6^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Asynchronous = "1"	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Impersonate = "1"	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Logon = "EvWinLogon"	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Startup = "EvWinLogon"	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\StartShell = "EvWinLogon"	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\DLLName = "wlogon.dll"	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\lcss.exe	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\crypto.dll	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wlogon.dll	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\net.cpl	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ThreadingModel = "Both"	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ = "Windows Cryptography"	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer\ = "WinCryptography.Encrypt.1"	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\ = "Windows Cryptography"	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID\ = "WinCryptography.Encrypt.1"	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID\ = "WinCryptography.Encrypt"	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\ = "Windows Cryptography"	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ = "crypto.dll"	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2124	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
Token: SeDebugPrivilege	2124	f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f67fb6e8560fbd1130f21cb4726c3d8b_JaffaCakes118.exe"
1⤵
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\lcss.exe

Filesize
147KB

MD5
be22c6a27f23ff31c1b16d52e985e0f3

SHA1
b8ba9442355587c14872e63fce37c5b5042b1be8

SHA256
56daa815f36ca461c63eb94506b0f4637700cea89443d270fb80882b72f71b69

SHA512
78d4b0408e1bdbb9ae5057d29243a9d90fbe8fc84b3662825e622e400110ffa39de215110cedb6398e4fd0181b444b610b3dde0c02c43c8e920f0be102e0ef01

Download Submit
C:\Windows\SysWOW64\net.cpl

Filesize
114KB

MD5
de9590cffe66df2c6e427885a48ee426

SHA1
e9d26b391ea40bb77dd9dc59e8dec2a38b320657

SHA256
f3378466828ddd35c0a2005e43b3d5155d56dd4d0a646843ad0842e55d5df6ba

SHA512
debbe33822f91ca64b12a3377316b438e61beebe67abc81a29424d98db1eb30150ac99896fd4bd85fe5a0081df0c7764ae638c2cdf39a7f1c02e7ccd8e130bc6

Download Submit
memory/2124-24-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads