db5be5a732b104239376559456414ad75a4388d2bf84dbf2b4f0472bb9538a5e

General

Target

404f53ed2aa790c9986cbac778fc0801_JaffaCakes118.exe
Size

848KB
MD5

404f53ed2aa790c9986cbac778fc0801
SHA1

4198e3a27b60c996fb93b577320a466080a75019
SHA256

db5be5a732b104239376559456414ad75a4388d2bf84dbf2b4f0472bb9538a5e
SHA512

792268932fe0c15dc58770a11700e62abf26260d232413c59f2509ba6620ffc1f63f0baf85e0bc68287fffef6a2f69c75163f8f3fb7c2b012c8c187092f12d28
SSDEEP

24576:FykI8RnQhHfKrEr1zJ9OIobDal9F6SzGYEPzbs:4kI8JQh/Su6ClCXY6s

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\RECYCLER\\services.exe"	file2.exe

Executes dropped EXE 3 IoCs

pid	Process
2096	file2.exe
2068	services.exe
2240	file1.exe

Loads dropped DLL 6 IoCs

pid	Process
1968	404f53ed2aa790c9986cbac778fc0801_JaffaCakes118.exe
1968	404f53ed2aa790c9986cbac778fc0801_JaffaCakes118.exe
1968	404f53ed2aa790c9986cbac778fc0801_JaffaCakes118.exe
2096	file2.exe
2096	file2.exe
1968	404f53ed2aa790c9986cbac778fc0801_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KsExpert = "C:\\windows\\k.exe"	file1.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\k.exe	file1.exe
File opened for modification	C:\windows\k.exe	file1.exe
File created	C:\WINDOWS\Menu Start\Programy\Autostart\Explore.exe	file1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	404f53ed2aa790c9986cbac778fc0801_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2240	file1.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2096	1968	404f53ed2aa790c9986cbac778fc0801_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2096	1968	404f53ed2aa790c9986cbac778fc0801_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2096	1968	404f53ed2aa790c9986cbac778fc0801_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2096	1968	404f53ed2aa790c9986cbac778fc0801_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2240	1968	404f53ed2aa790c9986cbac778fc0801_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2240	1968	404f53ed2aa790c9986cbac778fc0801_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2240	1968	404f53ed2aa790c9986cbac778fc0801_JaffaCakes118.exe	31
PID 1968 wrote to memory of 2240	1968	404f53ed2aa790c9986cbac778fc0801_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2068	2096	file2.exe	32
PID 2096 wrote to memory of 2068	2096	file2.exe	32
PID 2096 wrote to memory of 2068	2096	file2.exe	32
PID 2096 wrote to memory of 2068	2096	file2.exe	32

C:\Users\Admin\AppData\Local\Temp\404f53ed2aa790c9986cbac778fc0801_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\404f53ed2aa790c9986cbac778fc0801_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\file2.exe
  "C:\Users\Admin\AppData\Local\Temp\file2.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\RECYCLER\services.exe
    C:\RECYCLER\services.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2068
- C:\Users\Admin\AppData\Local\Temp\file1.exe
  "C:\Users\Admin\AppData\Local\Temp\file1.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\file1.exe

Filesize
494KB

MD5
ec00db658ceb51bc8f5f57a1e8f8a5c8

SHA1
7a876f3e8a1d877a186710a75ec837ca04c1123f

SHA256
02d2ff7c0f8853395db9d11204d1250944fdb7c0da7a4e0950a98d125e1e7fa7

SHA512
31a1f5732ee5dd060ed0ff1fb0d7ecb9601e97aa2144650ba23e0408470802bff82096c44c8555b02a3c79b42eab0020204e030afba583bd8d504ca40540fca1

Download Submit
\Users\Admin\AppData\Local\Temp\file2.exe

Filesize
350KB

MD5
ac515aa5e3c9656c8bb3690e13078b5d

SHA1
4b35314617d0942f3d0113b91e3608805c333aec

SHA256
2eba142b1804b6413bd99aea42578bef9bf632c34c465489e45ffe940e41840f

SHA512
81c39792fea02614bb45b02ae9c8563f38d5a9a160b5537938f8ca863775c00aaa7051ceac2c9fe2837eb0578780bca948dfe8fdf62cea83d044447d580273eb

Download Submit
memory/1968-28-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1968-0-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2068-38-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2096-11-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2096-36-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2240-43-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2240-51-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2240-41-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2240-37-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2240-45-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2240-47-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2240-49-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2240-39-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2240-53-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2240-55-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2240-57-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2240-59-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2240-61-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2240-63-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads