6cd9b986f6e133bf30115d6e49871b97e09335538f86fdf37a328fa2f7e3fd5b

General

Target

0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
Size

107KB
MD5

0358e215e0a9994d5f59c2a7c60366af
SHA1

c37da2537f6162aaca518e5223929db2eea2610e
SHA256

6cd9b986f6e133bf30115d6e49871b97e09335538f86fdf37a328fa2f7e3fd5b
SHA512

349bf1cb07fbd5023bba8a0c936b6ee07115b81d15eed41fe594a0d35ef3472bad01074c16107050e094921cc401acf53712c6c16894c4bf7a79a51dad363498
SSDEEP

3072:eYQtt+Duvs/lxp2JbJ9JWB9NqML4kj+wC4v1:eYQC7PpAbJ9JWskj+9m

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Systen.dll	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Systen.dll	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\259419881.dat	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
File created	C:\Windows\IEJLCM.bat	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
File created	C:\Windows\BVBHXJ.bat	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
File created	C:\Windows\AAWFHR.dll	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
File opened for modification	C:\Windows\AAWFHR.dll	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
File created	C:\Windows\259419772.dat	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
File created	C:\Windows\259419834.dat	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
Token: SeBackupPrivilege	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
Token: SeRestorePrivilege	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
Token: SeBackupPrivilege	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
Token: SeRestorePrivilege	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
Token: SeBackupPrivilege	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
Token: SeRestorePrivilege	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
Token: SeBackupPrivilege	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
Token: SeRestorePrivilege	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
Token: SeBackupPrivilege	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
Token: SeDebugPrivilege	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
Token: SeDebugPrivilege	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 432	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe	5
PID 2792 wrote to memory of 2612	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2612	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2612	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2612	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2724	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2724	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2724	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2724	2792	0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe	32

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0358e215e0a9994d5f59c2a7c60366af_JaffaCakes118.exe"
1⤵
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\IEJLCM.bat" C:\Users\Admin\AppData\Local\Temp\0358E2~1.EXE"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\BVBHXJ.bat" C:\Windows\AAWFHR.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AAWFHR.dll

Filesize
162KB

MD5
e5ed38ae0e7b7b9dcfd08e9d7546204b

SHA1
be6c2e03678b6b468fb27a73277a1efc1d684d0f

SHA256
3664345d8087811ce2d6aa7542c319dd234bd349502ff95189e5a1cba4945c1a

SHA512
c67117d067e4ea1169d1d6847a6f5830e85ae875bfa4f7e36e8e7839b9b0d5c5c37973f5b5103d09384109851fe37138318c535e170edcfd393f202f4dd12621

Download Submit
C:\Windows\IEJLCM.bat

Filesize
55B

MD5
6e8746e34abb1a9fe60e344ccd504f8f

SHA1
2d758f13f47e6e70c526c006ab62f6c54e58fc88

SHA256
e4ad97c9c116b065cc796b301c561878325b66072dcc62ab8019c4060170adea

SHA512
30344a8c73e1c2f456532249b8cd7160aef24b870dd1da53023ab480e2c5f87ef660096d06e1fd589a71115ec280d058b949de42439fe6153cf47334cc2e3e11

Download Submit
memory/432-8-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/2792-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2792-3-0x00000000003A0000-0x00000000003D1000-memory.dmp

Filesize
196KB

Download
memory/2792-23-0x00000000003A0000-0x00000000003D1000-memory.dmp

Filesize
196KB

Download
memory/2792-24-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads