eecd601523ca7f176eff537b38a2de5aff5279b2cb0a23d12f447442b4f19658

General

Target

56dfd1fc42a38d7658abbb9bb168a990_JaffaCakes118.exe
Size

1.8MB
MD5

56dfd1fc42a38d7658abbb9bb168a990
SHA1

cf93c985ee9850901e8d9de0f275c5283a671179
SHA256

eecd601523ca7f176eff537b38a2de5aff5279b2cb0a23d12f447442b4f19658
SHA512

1e374f9ae485329ffd80837f5a9983bee97f72c0942e4240868f756ccb3a144100a765b521975e383c7597cde967bec18a87c13f818c21b2890d95bdfa840ea3
SSDEEP

49152:nyyzT4zlfGB4/d/Zxmo/rvtchcL6yUw4gZ2oe7yUFZO:nyyz0zluGF/N/rFHL7F

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\ATManager\\apmanager.exe"	56dfd1fc42a38d7658abbb9bb168a990_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2836	apmanager.exe

Loads dropped DLL 4 IoCs

pid	Process
2668	56dfd1fc42a38d7658abbb9bb168a990_JaffaCakes118.exe
2668	56dfd1fc42a38d7658abbb9bb168a990_JaffaCakes118.exe
2836	apmanager.exe
2836	apmanager.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\apmanager.exe = "C:\\Users\\Admin\\AppData\\Roaming\\ATManager\\apmanager.exe silent"	56dfd1fc42a38d7658abbb9bb168a990_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56dfd1fc42a38d7658abbb9bb168a990_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apmanager.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2836	apmanager.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2836	apmanager.exe
2836	apmanager.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2836	apmanager.exe
2836	apmanager.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2836	apmanager.exe
2836	apmanager.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2836	2668	56dfd1fc42a38d7658abbb9bb168a990_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2836	2668	56dfd1fc42a38d7658abbb9bb168a990_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2836	2668	56dfd1fc42a38d7658abbb9bb168a990_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2836	2668	56dfd1fc42a38d7658abbb9bb168a990_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2836	2668	56dfd1fc42a38d7658abbb9bb168a990_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2836	2668	56dfd1fc42a38d7658abbb9bb168a990_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2836	2668	56dfd1fc42a38d7658abbb9bb168a990_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\56dfd1fc42a38d7658abbb9bb168a990_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\56dfd1fc42a38d7658abbb9bb168a990_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Roaming\ATManager\apmanager.exe
  C:\Users\Admin\AppData\Roaming\ATManager\apmanager.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ATManager\languages\English.lng

Filesize
5KB

MD5
07085de5f288a4af975301d446b5e33b

SHA1
1bab1af24546e953ef72b3f91ce1703aa3053da3

SHA256
5026f9af6ce420f4c30853758d9b5e1b9f0042ded6026a925ee180aea661e872

SHA512
1f8e16f22cd88a8acd47cbfd5cec4e8b496194b350b106b97b4147d42ba959894e920a5535ec022ab57b7977c74b6ec9864e0344bfea5bf2e0df95c60fd29e54

Download Submit
C:\Users\Admin\AppData\Roaming\ATManager\settings.ini

Filesize
56B

MD5
480dfaa0c94bb6f128af5540b6f36acc

SHA1
9a93ae14c6fba9f1ed892db675ed2f59c3fa9230

SHA256
ba5361c9f98152aae573f45770bc4cf061770ae07adf42a9c8ac83f24565c094

SHA512
fc47d9412158ceeb0a552e554689fdcd6aa5b883c7213e57cad415724233ff15b08a19f98f64be46bcff05f8e3708250dcef789618d990072d84e8a2ae017106

Download Submit
\Users\Admin\AppData\Roaming\ATManager\apmanager.exe

Filesize
1.8MB

MD5
269b5fbb93c424fa0d6a5878ff973938

SHA1
0a1c301028fbdbeca4f6e2d5e0a2a237504b2f93

SHA256
0ecf74be6b396805354dc4ad44f3b564c41a4f25a40be55f2871aa420bf8fbd3

SHA512
3ef5964984b5d654d9c6337ffacaf5d913be5d6e134c7fc6296d883ebc0e2535f7c3fabf4824a18f22f17057fd1aabe65207d464a503361381efb747ac2220a1

Download Submit
memory/2836-27-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2836-29-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2836-32-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2836-37-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2836-39-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2836-42-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads