Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 03:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe
-
Size
153KB
-
MD5
0436a71bd5b7eebf611713cdeeb2414f
-
SHA1
757ebd01bdbb002be1a696c059092a191f77d450
-
SHA256
dec9dcc53d1de7fe3492f327f928cf5e94d2e0d983e5009e8bac95219064d159
-
SHA512
3af1283c17a77a3d352c71dceabe21b60260b8ee64399380eef30c80c5c13c3a8cc1303dd1d98914fca39def1470502e7c0280ed342181d8e2c20ac986329770
-
SSDEEP
768:P0+/kNmsZKhQR5MnFQlBzkRy0L5gzQ1s96dnecPwsA/dbCtIvoVZvt5BMCwc5Fg4:7k8s7vMnFMgR3r1el2tIvk58c5Fgsd
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6280922.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4280927.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4280927.exe\"" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6280922.exe" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6280922.exe" 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4280927.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6280922.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4280927.exe\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6280922.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4280927.exe\"" 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4280927.exe\"" qm4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6280922.exe" qm4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4280927.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6280922.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6280922.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4280927.exe\"" lsass.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qm4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" m4623.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qm4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" m4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe -
Adds policy Run key to start application 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4443c = "\"C:\\Windows\\_default28092.pif\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4443c = "\"C:\\Windows\\_default28092.pif\"" qm4623.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4443c = "\"C:\\Windows\\_default28092.pif\"" 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4443c = "\"C:\\Windows\\_default28092.pif\"" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4443c = "\"C:\\Windows\\_default28092.pif\"" m4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4443c = "\"C:\\Windows\\_default28092.pif\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4443c = "\"C:\\Windows\\_default28092.pif\"" lsass.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4443c = "\"C:\\Windows\\_default28092.pif\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" services.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" qm4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" lsass.exe -
Disables RegEdit via registry modification 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qm4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" m4623.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts csrss.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation lsass.exe -
Executes dropped EXE 7 IoCs
pid Process 4268 smss.exe 2668 winlogon.exe 4520 services.exe 2000 csrss.exe 2836 lsass.exe 2532 qm4623.exe 3392 m4623.exe -
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" qm4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4443c = "\"C:\\Windows\\j6280922.exe\"" qm4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" m4623.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4443c = "\"C:\\Windows\\j6280922.exe\"" 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4443c = "\"C:\\Windows\\j6280922.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4443c = "\"C:\\Windows\\j6280922.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4443c = "\"C:\\Windows\\j6280922.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4443c = "\"C:\\Windows\\j6280922.exe\"" m4623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4443c = "\"C:\\Windows\\j6280922.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4443c = "\"C:\\Windows\\j6280922.exe\"" services.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" csrss.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\V: lsass.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\Q: lsass.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\O: lsass.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\G: lsass.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\s4827\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\s4827 services.exe File created C:\Windows\SysWOW64\s4827\smss.exe qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827 qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe m4623.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe csrss.exe File created C:\Windows\SysWOW64\c_28092k.com 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe smss.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin smss.exe File opened for modification C:\Windows\SysWOW64\c_28092k.com winlogon.exe File created C:\Windows\SysWOW64\s4827\services.exe winlogon.exe File created C:\Windows\SysWOW64\s4827\m4623.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe qm4623.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll m4623.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\s4827 winlogon.exe File created C:\Windows\SysWOW64\s4827\csrss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\c_28092k.com csrss.exe File created C:\Windows\SysWOW64\s4827\c.bron.tok.txt lsass.exe File opened for modification C:\Windows\SysWOW64\c_28092k.com smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\s4827\services.exe winlogon.exe File created C:\Windows\SysWOW64\s4827\smss.exe services.exe File opened for modification C:\Windows\SysWOW64\s4827 lsass.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\s4827\smss.exe 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe File created C:\Windows\SysWOW64\s4827\smss.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\lsass.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe csrss.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exe qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827 smss.exe File opened for modification C:\Windows\SysWOW64\c_28092k.com lsass.exe File created C:\Windows\SysWOW64\s4827\Spread.Mail.Bro\[email protected] services.exe File created C:\Windows\SysWOW64\s4827\smss.exe smss.exe File created C:\Windows\SysWOW64\s4827\winlogon.exe smss.exe File opened for modification C:\Windows\SysWOW64\s4827\csrss.exe winlogon.exe File created C:\Windows\SysWOW64\s4827\lsass.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\c_28092k.com qm4623.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exe m4623.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe qm4623.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe m4623.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qm4623.exe File opened for modification C:\Windows\SysWOW64\c_28092k.com 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\c_28092k.com services.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe services.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin smss.exe File opened for modification C:\Windows\SysWOW64\c_28092k.com m4623.exe File opened for modification C:\Windows\SysWOW64\s4827\domlist.txt lsass.exe File opened for modification C:\Windows\SysWOW64\s4827 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exe 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lsass.exe File opened for modification C:\Windows\SysWOW64\s4827 csrss.exe File opened for modification C:\Windows\SysWOW64\s4827 m4623.exe File created C:\Windows\SysWOW64\s4827\domlist.txt cmd.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exe lsass.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe services.exe -
Drops file in Windows directory 34 IoCs
description ioc Process File created C:\Windows\o4280927.exe 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe File opened for modification C:\Windows\Ad10218 winlogon.exe File opened for modification C:\Windows\Ad10218\qm4623.exe winlogon.exe File created C:\Windows\Ad10218\qm4623.exe winlogon.exe File opened for modification C:\Windows\j6280922.exe lsass.exe File opened for modification C:\Windows\o4280927.exe lsass.exe File opened for modification C:\Windows\o4280927.exe winlogon.exe File opened for modification C:\Windows\j6280922.exe services.exe File opened for modification C:\Windows\o4280927.exe csrss.exe File created C:\Windows\_default28092.pif qm4623.exe File opened for modification C:\Windows\j6280922.exe winlogon.exe File opened for modification C:\Windows\o4280927.exe services.exe File opened for modification C:\Windows\_default28092.pif services.exe File opened for modification C:\Windows\_default28092.pif csrss.exe File opened for modification C:\Windows\j6280922.exe 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe File created C:\Windows\j6280922.exe 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe File opened for modification C:\Windows\o4280927.exe 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe File opened for modification C:\Windows\_default28092.pif 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe File opened for modification C:\Windows\o4280927.exe m4623.exe File opened for modification C:\Windows\j6280922.exe smss.exe File opened for modification C:\Windows\_default28092.pif winlogon.exe File opened for modification C:\Windows\j6280922.exe csrss.exe File opened for modification C:\Windows\o4280927.exe qm4623.exe File opened for modification C:\Windows\j6280922.exe m4623.exe File opened for modification C:\Windows\_default28092.pif qm4623.exe File created C:\Windows\_default28092.pif 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe File opened for modification C:\Windows\j6280922.exe qm4623.exe File created C:\Windows\j6280922.exe qm4623.exe File opened for modification C:\Windows\_default28092.pif lsass.exe File created C:\Windows\o4280927.exe qm4623.exe File opened for modification C:\Windows\o4280927.exe smss.exe File opened for modification C:\Windows\_default28092.pif smss.exe File opened for modification C:\Windows\_default28092.pif m4623.exe File created C:\Windows\o4280927.exe m4623.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qm4623.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4623.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 3532 net.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ smss.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe 2668 winlogon.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3152 wrote to memory of 4268 3152 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe 83 PID 3152 wrote to memory of 4268 3152 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe 83 PID 3152 wrote to memory of 4268 3152 0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe 83 PID 4268 wrote to memory of 2668 4268 smss.exe 85 PID 4268 wrote to memory of 2668 4268 smss.exe 85 PID 4268 wrote to memory of 2668 4268 smss.exe 85 PID 2668 wrote to memory of 4520 2668 winlogon.exe 87 PID 2668 wrote to memory of 4520 2668 winlogon.exe 87 PID 2668 wrote to memory of 4520 2668 winlogon.exe 87 PID 2668 wrote to memory of 2000 2668 winlogon.exe 89 PID 2668 wrote to memory of 2000 2668 winlogon.exe 89 PID 2668 wrote to memory of 2000 2668 winlogon.exe 89 PID 2668 wrote to memory of 2836 2668 winlogon.exe 91 PID 2668 wrote to memory of 2836 2668 winlogon.exe 91 PID 2668 wrote to memory of 2836 2668 winlogon.exe 91 PID 2668 wrote to memory of 2532 2668 winlogon.exe 93 PID 2668 wrote to memory of 2532 2668 winlogon.exe 93 PID 2668 wrote to memory of 2532 2668 winlogon.exe 93 PID 2668 wrote to memory of 3392 2668 winlogon.exe 95 PID 2668 wrote to memory of 3392 2668 winlogon.exe 95 PID 2668 wrote to memory of 3392 2668 winlogon.exe 95 PID 2668 wrote to memory of 4280 2668 winlogon.exe 97 PID 2668 wrote to memory of 4280 2668 winlogon.exe 97 PID 2668 wrote to memory of 4280 2668 winlogon.exe 97 PID 2668 wrote to memory of 4856 2668 winlogon.exe 101 PID 2668 wrote to memory of 4856 2668 winlogon.exe 101 PID 2668 wrote to memory of 4856 2668 winlogon.exe 101 PID 2668 wrote to memory of 4472 2668 winlogon.exe 105 PID 2668 wrote to memory of 4472 2668 winlogon.exe 105 PID 2668 wrote to memory of 4472 2668 winlogon.exe 105 PID 2836 wrote to memory of 3560 2836 lsass.exe 112 PID 2836 wrote to memory of 3560 2836 lsass.exe 112 PID 2836 wrote to memory of 3560 2836 lsass.exe 112 PID 3560 wrote to memory of 3532 3560 cmd.exe 114 PID 3560 wrote to memory of 3532 3560 cmd.exe 114 PID 3560 wrote to memory of 3532 3560 cmd.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0436a71bd5b7eebf611713cdeeb2414f_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\s4827\smss.exe"C:\Windows\system32\s4827\smss.exe" ~Brontok~Log~2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\s4827\winlogon.exe"C:\Windows\system32\s4827\winlogon.exe" ~Brontok~Is~The~Best~3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\s4827\services.exe"C:\Windows\system32\s4827\services.exe" ~Brontok~Serv~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4520
-
-
C:\Windows\SysWOW64\s4827\csrss.exe"C:\Windows\system32\s4827\csrss.exe" ~Brontok~SpreadMail~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2000
-
-
C:\Windows\SysWOW64\s4827\lsass.exe"C:\Windows\system32\s4827\lsass.exe" ~Brontok~Network~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net view /domain > "C:\Windows\system32\s4827\domlist.txt"5⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\net.exenet view /domain6⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:3532
-
-
-
-
C:\Windows\Ad10218\qm4623.exe"C:\Windows\Ad10218\qm4623.exe" ~Brontok~Back~Log~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2532
-
-
C:\Windows\SysWOW64\s4827\m4623.exe"C:\Windows\system32\s4827\m4623.exe" ~Brontok~Back~Log~4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3392
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" /delete /y4⤵
- System Location Discovery: System Language Discovery
PID:4280
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"4⤵
- System Location Discovery: System Language Discovery
PID:4856
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" 11:03 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"4⤵
- System Location Discovery: System Language Discovery
PID:4472
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD53c0c239c312334edf86e656081ec0e6f
SHA1010d545a5ef61c9f769c86aa1a958807e0b16e35
SHA256bd51a65a181364eb7a31fc1b79e29854a91cccd04bf44732e83ad8349bc67224
SHA5120c3efc560678856f762f9cd4c38cbedaeb0d5c00373c914316a9e63c603aba0b09a49f507065005c69df202c709a9fbd4176610a03bfe4beeec3bc168442064c
-
Filesize
153KB
MD50436a71bd5b7eebf611713cdeeb2414f
SHA1757ebd01bdbb002be1a696c059092a191f77d450
SHA256dec9dcc53d1de7fe3492f327f928cf5e94d2e0d983e5009e8bac95219064d159
SHA5123af1283c17a77a3d352c71dceabe21b60260b8ee64399380eef30c80c5c13c3a8cc1303dd1d98914fca39def1470502e7c0280ed342181d8e2c20ac986329770