modiloader | e3a486e4ba4108e5ea52c358a6e0cd0d10c9bf9e7e1ffcd8025e23d1ac220b16

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
Size

167KB
MD5

c960c47de67d41e0c8a133b7ccaac11f
SHA1

4b6a125d51cadec5f47664321ae6a3d67d3093f2
SHA256

e3a486e4ba4108e5ea52c358a6e0cd0d10c9bf9e7e1ffcd8025e23d1ac220b16
SHA512

8e727700d3e5762c5a7741c187f3eb9e2e9fe6e947ba1c00dcd8258f2004694b390f3129c2132a2035bf717921caf699bfbbd8e9fca8531be501bea12f2c07a8
SSDEEP

3072:ONIiqCfgftezBZsyzuajkpDGJpVALLf7aB+pYKQbOFR0LAtEBXC:n9VezBZtQpDcOmaL0I

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 31 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012029-1.dat	modiloader_stage2
behavioral1/memory/2532-8-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/2512-13-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/2348-17-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/1996-21-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/2320-25-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/2808-29-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/2736-33-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-37-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/2888-41-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-45-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/2644-49-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/3016-53-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/1544-57-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/1492-61-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/2488-65-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/1716-69-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/2568-73-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/1000-77-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/2648-81-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/1800-85-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/300-89-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/444-90-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/2912-91-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/2372-92-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/992-93-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/1616-94-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/1832-95-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/1504-96-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/2312-97-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral1/memory/1568-98-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2

Executes dropped EXE 30 IoCs

pid	Process
2512	netlogon.exe
2348	netlogon.exe
1996	netlogon.exe
2320	netlogon.exe
2808	netlogon.exe
2736	netlogon.exe
2764	netlogon.exe
2888	netlogon.exe
2692	netlogon.exe
2644	netlogon.exe
3016	netlogon.exe
1544	netlogon.exe
1492	netlogon.exe
2488	netlogon.exe
1716	netlogon.exe
2568	netlogon.exe
1000	netlogon.exe
2648	netlogon.exe
1800	netlogon.exe
300	netlogon.exe
444	netlogon.exe
2912	netlogon.exe
2372	netlogon.exe
992	netlogon.exe
1616	netlogon.exe
1832	netlogon.exe
1504	netlogon.exe
2312	netlogon.exe
1568	netlogon.exe
3068	netlogon.exe

Loads dropped DLL 60 IoCs

pid	Process
2532	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
2532	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
2512	netlogon.exe
2512	netlogon.exe
2348	netlogon.exe
2348	netlogon.exe
1996	netlogon.exe
1996	netlogon.exe
2320	netlogon.exe
2320	netlogon.exe
2808	netlogon.exe
2808	netlogon.exe
2736	netlogon.exe
2736	netlogon.exe
2764	netlogon.exe
2764	netlogon.exe
2888	netlogon.exe
2888	netlogon.exe
2692	netlogon.exe
2692	netlogon.exe
2644	netlogon.exe
2644	netlogon.exe
3016	netlogon.exe
3016	netlogon.exe
1544	netlogon.exe
1544	netlogon.exe
1492	netlogon.exe
1492	netlogon.exe
2488	netlogon.exe
2488	netlogon.exe
1716	netlogon.exe
1716	netlogon.exe
2568	netlogon.exe
2568	netlogon.exe
1000	netlogon.exe
1000	netlogon.exe
2648	netlogon.exe
2648	netlogon.exe
1800	netlogon.exe
1800	netlogon.exe
300	netlogon.exe
300	netlogon.exe
444	netlogon.exe
444	netlogon.exe
2912	netlogon.exe
2912	netlogon.exe
2372	netlogon.exe
2372	netlogon.exe
992	netlogon.exe
992	netlogon.exe
1616	netlogon.exe
1616	netlogon.exe
1832	netlogon.exe
1832	netlogon.exe
1504	netlogon.exe
1504	netlogon.exe
2312	netlogon.exe
2312	netlogon.exe
1568	netlogon.exe
1568	netlogon.exe

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\netlogon.exe	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
2532	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
2512	netlogon.exe
2512	netlogon.exe
2348	netlogon.exe
2348	netlogon.exe
1996	netlogon.exe
1996	netlogon.exe
2320	netlogon.exe
2320	netlogon.exe
2808	netlogon.exe
2808	netlogon.exe
2736	netlogon.exe
2736	netlogon.exe
2764	netlogon.exe
2764	netlogon.exe
2888	netlogon.exe
2888	netlogon.exe
2692	netlogon.exe
2692	netlogon.exe
2644	netlogon.exe
2644	netlogon.exe
3016	netlogon.exe
3016	netlogon.exe
1544	netlogon.exe
1544	netlogon.exe
1492	netlogon.exe
1492	netlogon.exe
2488	netlogon.exe
2488	netlogon.exe
1716	netlogon.exe
1716	netlogon.exe
2568	netlogon.exe
2568	netlogon.exe
1000	netlogon.exe
1000	netlogon.exe
2648	netlogon.exe
2648	netlogon.exe
1800	netlogon.exe
1800	netlogon.exe
300	netlogon.exe
300	netlogon.exe
444	netlogon.exe
444	netlogon.exe
2912	netlogon.exe
2912	netlogon.exe
2372	netlogon.exe
2372	netlogon.exe
992	netlogon.exe
992	netlogon.exe
1616	netlogon.exe
1616	netlogon.exe
1832	netlogon.exe
1832	netlogon.exe
1504	netlogon.exe
1504	netlogon.exe
2312	netlogon.exe
2312	netlogon.exe
1568	netlogon.exe
1568	netlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2512	2532	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2512	2532	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2512	2532	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2512	2532	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe	30
PID 2512 wrote to memory of 2348	2512	netlogon.exe	32
PID 2512 wrote to memory of 2348	2512	netlogon.exe	32
PID 2512 wrote to memory of 2348	2512	netlogon.exe	32
PID 2512 wrote to memory of 2348	2512	netlogon.exe	32
PID 2348 wrote to memory of 1996	2348	netlogon.exe	33
PID 2348 wrote to memory of 1996	2348	netlogon.exe	33
PID 2348 wrote to memory of 1996	2348	netlogon.exe	33
PID 2348 wrote to memory of 1996	2348	netlogon.exe	33
PID 1996 wrote to memory of 2320	1996	netlogon.exe	34
PID 1996 wrote to memory of 2320	1996	netlogon.exe	34
PID 1996 wrote to memory of 2320	1996	netlogon.exe	34
PID 1996 wrote to memory of 2320	1996	netlogon.exe	34
PID 2320 wrote to memory of 2808	2320	netlogon.exe	35
PID 2320 wrote to memory of 2808	2320	netlogon.exe	35
PID 2320 wrote to memory of 2808	2320	netlogon.exe	35
PID 2320 wrote to memory of 2808	2320	netlogon.exe	35
PID 2808 wrote to memory of 2736	2808	netlogon.exe	36
PID 2808 wrote to memory of 2736	2808	netlogon.exe	36
PID 2808 wrote to memory of 2736	2808	netlogon.exe	36
PID 2808 wrote to memory of 2736	2808	netlogon.exe	36
PID 2736 wrote to memory of 2764	2736	netlogon.exe	37
PID 2736 wrote to memory of 2764	2736	netlogon.exe	37
PID 2736 wrote to memory of 2764	2736	netlogon.exe	37
PID 2736 wrote to memory of 2764	2736	netlogon.exe	37
PID 2764 wrote to memory of 2888	2764	netlogon.exe	38
PID 2764 wrote to memory of 2888	2764	netlogon.exe	38
PID 2764 wrote to memory of 2888	2764	netlogon.exe	38
PID 2764 wrote to memory of 2888	2764	netlogon.exe	38
PID 2888 wrote to memory of 2692	2888	netlogon.exe	39
PID 2888 wrote to memory of 2692	2888	netlogon.exe	39
PID 2888 wrote to memory of 2692	2888	netlogon.exe	39
PID 2888 wrote to memory of 2692	2888	netlogon.exe	39
PID 2692 wrote to memory of 2644	2692	netlogon.exe	40
PID 2692 wrote to memory of 2644	2692	netlogon.exe	40
PID 2692 wrote to memory of 2644	2692	netlogon.exe	40
PID 2692 wrote to memory of 2644	2692	netlogon.exe	40
PID 2644 wrote to memory of 3016	2644	netlogon.exe	41
PID 2644 wrote to memory of 3016	2644	netlogon.exe	41
PID 2644 wrote to memory of 3016	2644	netlogon.exe	41
PID 2644 wrote to memory of 3016	2644	netlogon.exe	41
PID 3016 wrote to memory of 1544	3016	netlogon.exe	42
PID 3016 wrote to memory of 1544	3016	netlogon.exe	42
PID 3016 wrote to memory of 1544	3016	netlogon.exe	42
PID 3016 wrote to memory of 1544	3016	netlogon.exe	42
PID 1544 wrote to memory of 1492	1544	netlogon.exe	43
PID 1544 wrote to memory of 1492	1544	netlogon.exe	43
PID 1544 wrote to memory of 1492	1544	netlogon.exe	43
PID 1544 wrote to memory of 1492	1544	netlogon.exe	43
PID 1492 wrote to memory of 2488	1492	netlogon.exe	44
PID 1492 wrote to memory of 2488	1492	netlogon.exe	44
PID 1492 wrote to memory of 2488	1492	netlogon.exe	44
PID 1492 wrote to memory of 2488	1492	netlogon.exe	44
PID 2488 wrote to memory of 1716	2488	netlogon.exe	45
PID 2488 wrote to memory of 1716	2488	netlogon.exe	45
PID 2488 wrote to memory of 1716	2488	netlogon.exe	45
PID 2488 wrote to memory of 1716	2488	netlogon.exe	45
PID 1716 wrote to memory of 2568	1716	netlogon.exe	46
PID 1716 wrote to memory of 2568	1716	netlogon.exe	46
PID 1716 wrote to memory of 2568	1716	netlogon.exe	46
PID 1716 wrote to memory of 2568	1716	netlogon.exe	46

C:\Users\Admin\AppData\Local\Temp\c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2532
- \??\c:\windows\SysWOW64\netlogon.exe
  c:\windows\system32\netlogon.exe /Kl C:\Users\Admin\AppData\Local\Temp\c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2512
- - \??\c:\windows\SysWOW64\netlogon.exe
    c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - \??\c:\windows\SysWOW64\netlogon.exe
      c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1996
    - - \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2568
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1000
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1800
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:300
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:444
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2912
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:992
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1616
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1832
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1504
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2312
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1568
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        31⤵
        Executes dropped EXE
        
        PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\netlogon.exe

Filesize
167KB

MD5
c960c47de67d41e0c8a133b7ccaac11f

SHA1
4b6a125d51cadec5f47664321ae6a3d67d3093f2

SHA256
e3a486e4ba4108e5ea52c358a6e0cd0d10c9bf9e7e1ffcd8025e23d1ac220b16

SHA512
8e727700d3e5762c5a7741c187f3eb9e2e9fe6e947ba1c00dcd8258f2004694b390f3129c2132a2035bf717921caf699bfbbd8e9fca8531be501bea12f2c07a8

Download Submit
memory/300-89-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/444-90-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/992-93-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1000-77-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1492-61-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1504-96-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1544-57-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1568-98-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1616-94-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1716-69-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1800-85-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1832-95-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1996-21-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2312-97-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2320-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2348-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2372-92-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2488-65-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2512-13-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2532-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2568-73-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2644-49-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2648-81-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2692-45-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2736-33-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2764-37-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2808-29-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2888-41-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2912-91-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3016-53-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download