45b6cc0c2e3dc6845ff341d96a2bd4d838cacf4fd2b0387e3b4a196b59f44e46

General

Target

fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe
Size

347KB
MD5

fd063ba242a42e0f5f70fc48ece11711
SHA1

344e524ce58625cee15c9cc82ec95ec0ee23fcc7
SHA256

45b6cc0c2e3dc6845ff341d96a2bd4d838cacf4fd2b0387e3b4a196b59f44e46
SHA512

05aee7c8d792a2247fb36d297d914941d4c19df2cf1a3496a0f1de5deb6c23895087e728f84751062972efd012f0e35e606d2ed04331dbd10e4de27ea6988905
SSDEEP

6144:DjunetgRAZMiW6cltq63XsN9jOMH64MeOJsb+KrOWzVPqc/V45XP:XeewUcltq63Xe9P5HOJsbX7V4B

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\3b05ab05\\X"	Explorer.EXE

Deletes itself 1 IoCs

pid	Process
2688	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
336	csrss.exe
2604	X

Loads dropped DLL 2 IoCs

pid	Process
1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe
1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1580 set thread context of 2688	1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{1694bb7d-3d49-8c91-f5a4-cbcd3994eab3}	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1694bb7d-3d49-8c91-f5a4-cbcd3994eab3}\u = "134"	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1694bb7d-3d49-8c91-f5a4-cbcd3994eab3}\cid = "8458113229640742624"	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe
1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe
1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe
1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe
2604	X

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe
Token: SeDebugPrivilege	1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 1152	1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe	20
PID 1580 wrote to memory of 336	1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe	2
PID 1580 wrote to memory of 2604	1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe	30
PID 1580 wrote to memory of 2604	1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe	30
PID 1580 wrote to memory of 2604	1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe	30
PID 1580 wrote to memory of 2604	1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe	30
PID 2604 wrote to memory of 1152	2604	X	20
PID 1580 wrote to memory of 2688	1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe	31
PID 1580 wrote to memory of 2688	1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe	31
PID 1580 wrote to memory of 2688	1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe	31
PID 1580 wrote to memory of 2688	1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe	31
PID 1580 wrote to memory of 2688	1580	fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe	31

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
PID:1152
- C:\Users\Admin\AppData\Local\Temp\fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fd063ba242a42e0f5f70fc48ece11711_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Users\Admin\AppData\Local\3b05ab05\X
    176.53.17.23:80
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3b05ab05\@

Filesize
2KB

MD5
da90876350e41d0be2155af2a1adafc8

SHA1
25fb8b07ab1a9b47fba6a1a0cec6c612c21a5d47

SHA256
7bf0b7406b416e150d0eb4928c380ac61d074ef4706d41bd2441ad6559d00c75

SHA512
a1a20c8c55718d63b6809478187b1aef0383d134b4b9a665df9d531a1c12d4e5620c440fe6f37a51a5e1bc6e73992152ff25ef693320921509226500dc2ac902

Download Submit
C:\Users\Admin\AppData\Local\3b05ab05\X

Filesize
41KB

MD5
686b479b0ee164cf1744a8be359ebb7d

SHA1
8615e8f967276a85110b198d575982a958581a07

SHA256
fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b

SHA512
7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64

Download Submit
C:\Windows\system32\consrv.dll

Filesize
31KB

MD5
dafc4a53954b76c5db1d857e955f3805

SHA1
a18fa0d38c6656b4398953e77e87eec3b0209ef3

SHA256
c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b

SHA512
745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
7f15dc743e1a77874f2f69149b901fdb

SHA1
94bfc0521adb504789540bf13954a995dadd119e

SHA256
2674286d5d7125f3a43b137ed177fd93371554003cd490d255f68df9a81d3917

SHA512
3b0b77f370d5b58d8adc5ba3c78f017ac3904422aeaa972b39d8e9a6748b534733e2a01cc24dd6f47920b63975b7f3361d47113c21b8b3ae45de10fce9f929fb

Download Submit
memory/336-26-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/336-29-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/336-28-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/1152-50-0x00000000025E0000-0x00000000025EB000-memory.dmp

Filesize
44KB

Download
memory/1152-42-0x00000000025E0000-0x00000000025EB000-memory.dmp

Filesize
44KB

Download
memory/1152-20-0x00000000025E0000-0x00000000025E6000-memory.dmp

Filesize
24KB

Download
memory/1152-16-0x00000000025E0000-0x00000000025E6000-memory.dmp

Filesize
24KB

Download
memory/1152-54-0x0000000002A30000-0x0000000002A3B000-memory.dmp

Filesize
44KB

Download
memory/1152-22-0x00000000025D0000-0x00000000025D2000-memory.dmp

Filesize
8KB

Download
memory/1152-41-0x00000000025C0000-0x00000000025C8000-memory.dmp

Filesize
32KB

Download
memory/1152-12-0x00000000025E0000-0x00000000025E6000-memory.dmp

Filesize
24KB

Download
memory/1152-47-0x00000000025E0000-0x00000000025EB000-memory.dmp

Filesize
44KB

Download
memory/1152-51-0x0000000002A30000-0x0000000002A3B000-memory.dmp

Filesize
44KB

Download
memory/1580-9-0x0000000000470000-0x00000000004A1000-memory.dmp

Filesize
196KB

Download
memory/1580-1-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1580-6-0x0000000000470000-0x00000000004A1000-memory.dmp

Filesize
196KB

Download
memory/1580-30-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1580-3-0x0000000000470000-0x00000000004A1000-memory.dmp

Filesize
196KB

Download
memory/1580-53-0x0000000000400000-0x0000000000468034-memory.dmp

Filesize
416KB

Download
memory/1580-21-0x0000000000400000-0x0000000000468034-memory.dmp

Filesize
416KB

Download
memory/1580-57-0x0000000000400000-0x0000000000468034-memory.dmp

Filesize
416KB

Download
memory/1580-58-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1580-2-0x0000000000400000-0x0000000000468034-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads