modiloader | e3a486e4ba4108e5ea52c358a6e0cd0d10c9bf9e7e1ffcd8025e23d1ac220b16

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
Size

167KB
MD5

c960c47de67d41e0c8a133b7ccaac11f
SHA1

4b6a125d51cadec5f47664321ae6a3d67d3093f2
SHA256

e3a486e4ba4108e5ea52c358a6e0cd0d10c9bf9e7e1ffcd8025e23d1ac220b16
SHA512

8e727700d3e5762c5a7741c187f3eb9e2e9fe6e947ba1c00dcd8258f2004694b390f3129c2132a2035bf717921caf699bfbbd8e9fca8531be501bea12f2c07a8
SSDEEP

3072:ONIiqCfgftezBZsyzuajkpDGJpVALLf7aB+pYKQbOFR0LAtEBXC:n9VezBZtQpDcOmaL0I

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 31 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023c57-2.dat	modiloader_stage2
behavioral2/memory/4036-4-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/4840-6-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/3868-8-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/3764-10-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/3744-12-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/3276-14-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/2560-16-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/4256-18-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/3024-20-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/1664-22-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/3568-24-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/3620-26-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/3204-28-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/2636-30-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/2536-32-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/2332-34-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/220-36-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/3264-38-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/1504-40-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/3192-42-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/1392-44-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/2768-46-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/2040-48-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/3056-50-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/4044-52-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/1484-54-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/3744-56-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-58-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/556-60-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2
behavioral2/memory/2328-62-0x0000000000400000-0x0000000000430000-memory.dmp	modiloader_stage2

Executes dropped EXE 30 IoCs

pid	Process
4840	netlogon.exe
3868	netlogon.exe
3764	netlogon.exe
3744	netlogon.exe
3276	netlogon.exe
2560	netlogon.exe
4256	netlogon.exe
3024	netlogon.exe
1664	netlogon.exe
3568	netlogon.exe
3620	netlogon.exe
3204	netlogon.exe
2636	netlogon.exe
2536	netlogon.exe
2332	netlogon.exe
220	netlogon.exe
3264	netlogon.exe
1504	netlogon.exe
3192	netlogon.exe
1392	netlogon.exe
2768	netlogon.exe
2040	netlogon.exe
3056	netlogon.exe
4044	netlogon.exe
1484	netlogon.exe
3744	netlogon.exe
4528	netlogon.exe
556	netlogon.exe
2328	netlogon.exe
2932	netlogon.exe

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinIogon = "c:\\windows\\system32\\netlogon.exe"	netlogon.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\netlogon.exe	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\netlogon.exe	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe
File created	\??\c:\windows\SysWOW64\netlogon.exe	netlogon.exe

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4036	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
4036	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
4840	netlogon.exe
4840	netlogon.exe
4840	netlogon.exe
4840	netlogon.exe
3868	netlogon.exe
3868	netlogon.exe
3868	netlogon.exe
3868	netlogon.exe
3764	netlogon.exe
3764	netlogon.exe
3764	netlogon.exe
3764	netlogon.exe
3744	netlogon.exe
3744	netlogon.exe
3744	netlogon.exe
3744	netlogon.exe
3276	netlogon.exe
3276	netlogon.exe
3276	netlogon.exe
3276	netlogon.exe
2560	netlogon.exe
2560	netlogon.exe
2560	netlogon.exe
2560	netlogon.exe
4256	netlogon.exe
4256	netlogon.exe
4256	netlogon.exe
4256	netlogon.exe
3024	netlogon.exe
3024	netlogon.exe
3024	netlogon.exe
3024	netlogon.exe
1664	netlogon.exe
1664	netlogon.exe
1664	netlogon.exe
1664	netlogon.exe
3568	netlogon.exe
3568	netlogon.exe
3568	netlogon.exe
3568	netlogon.exe
3620	netlogon.exe
3620	netlogon.exe
3620	netlogon.exe
3620	netlogon.exe
3204	netlogon.exe
3204	netlogon.exe
3204	netlogon.exe
3204	netlogon.exe
2636	netlogon.exe
2636	netlogon.exe
2636	netlogon.exe
2636	netlogon.exe
2536	netlogon.exe
2536	netlogon.exe
2536	netlogon.exe
2536	netlogon.exe
2332	netlogon.exe
2332	netlogon.exe
2332	netlogon.exe
2332	netlogon.exe
220	netlogon.exe
220	netlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 4840	4036	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe	83
PID 4036 wrote to memory of 4840	4036	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe	83
PID 4036 wrote to memory of 4840	4036	c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe	83
PID 4840 wrote to memory of 3868	4840	netlogon.exe	84
PID 4840 wrote to memory of 3868	4840	netlogon.exe	84
PID 4840 wrote to memory of 3868	4840	netlogon.exe	84
PID 3868 wrote to memory of 3764	3868	netlogon.exe	85
PID 3868 wrote to memory of 3764	3868	netlogon.exe	85
PID 3868 wrote to memory of 3764	3868	netlogon.exe	85
PID 3764 wrote to memory of 3744	3764	netlogon.exe	94
PID 3764 wrote to memory of 3744	3764	netlogon.exe	94
PID 3764 wrote to memory of 3744	3764	netlogon.exe	94
PID 3744 wrote to memory of 3276	3744	netlogon.exe	99
PID 3744 wrote to memory of 3276	3744	netlogon.exe	99
PID 3744 wrote to memory of 3276	3744	netlogon.exe	99
PID 3276 wrote to memory of 2560	3276	netlogon.exe	100
PID 3276 wrote to memory of 2560	3276	netlogon.exe	100
PID 3276 wrote to memory of 2560	3276	netlogon.exe	100
PID 2560 wrote to memory of 4256	2560	netlogon.exe	103
PID 2560 wrote to memory of 4256	2560	netlogon.exe	103
PID 2560 wrote to memory of 4256	2560	netlogon.exe	103
PID 4256 wrote to memory of 3024	4256	netlogon.exe	104
PID 4256 wrote to memory of 3024	4256	netlogon.exe	104
PID 4256 wrote to memory of 3024	4256	netlogon.exe	104
PID 3024 wrote to memory of 1664	3024	netlogon.exe	106
PID 3024 wrote to memory of 1664	3024	netlogon.exe	106
PID 3024 wrote to memory of 1664	3024	netlogon.exe	106
PID 1664 wrote to memory of 3568	1664	netlogon.exe	107
PID 1664 wrote to memory of 3568	1664	netlogon.exe	107
PID 1664 wrote to memory of 3568	1664	netlogon.exe	107
PID 3568 wrote to memory of 3620	3568	netlogon.exe	108
PID 3568 wrote to memory of 3620	3568	netlogon.exe	108
PID 3568 wrote to memory of 3620	3568	netlogon.exe	108
PID 3620 wrote to memory of 3204	3620	netlogon.exe	109
PID 3620 wrote to memory of 3204	3620	netlogon.exe	109
PID 3620 wrote to memory of 3204	3620	netlogon.exe	109
PID 3204 wrote to memory of 2636	3204	netlogon.exe	111
PID 3204 wrote to memory of 2636	3204	netlogon.exe	111
PID 3204 wrote to memory of 2636	3204	netlogon.exe	111
PID 2636 wrote to memory of 2536	2636	netlogon.exe	112
PID 2636 wrote to memory of 2536	2636	netlogon.exe	112
PID 2636 wrote to memory of 2536	2636	netlogon.exe	112
PID 2536 wrote to memory of 2332	2536	netlogon.exe	113
PID 2536 wrote to memory of 2332	2536	netlogon.exe	113
PID 2536 wrote to memory of 2332	2536	netlogon.exe	113
PID 2332 wrote to memory of 220	2332	netlogon.exe	114
PID 2332 wrote to memory of 220	2332	netlogon.exe	114
PID 2332 wrote to memory of 220	2332	netlogon.exe	114
PID 220 wrote to memory of 3264	220	netlogon.exe	115
PID 220 wrote to memory of 3264	220	netlogon.exe	115
PID 220 wrote to memory of 3264	220	netlogon.exe	115
PID 1504 wrote to memory of 3192	1504	netlogon.exe	117
PID 1504 wrote to memory of 3192	1504	netlogon.exe	117
PID 1504 wrote to memory of 3192	1504	netlogon.exe	117
PID 3192 wrote to memory of 1392	3192	netlogon.exe	118
PID 3192 wrote to memory of 1392	3192	netlogon.exe	118
PID 3192 wrote to memory of 1392	3192	netlogon.exe	118
PID 1392 wrote to memory of 2768	1392	netlogon.exe	119
PID 1392 wrote to memory of 2768	1392	netlogon.exe	119
PID 1392 wrote to memory of 2768	1392	netlogon.exe	119
PID 2768 wrote to memory of 2040	2768	netlogon.exe	120
PID 2768 wrote to memory of 2040	2768	netlogon.exe	120
PID 2768 wrote to memory of 2040	2768	netlogon.exe	120
PID 2040 wrote to memory of 3056	2040	netlogon.exe	121

C:\Users\Admin\AppData\Local\Temp\c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4036
- \??\c:\windows\SysWOW64\netlogon.exe
  c:\windows\system32\netlogon.exe /Kl C:\Users\Admin\AppData\Local\Temp\c960c47de67d41e0c8a133b7ccaac11f_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4840
- - \??\c:\windows\SysWOW64\netlogon.exe
    c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - \??\c:\windows\SysWOW64\netlogon.exe
      c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3764
    - - \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3744
      - \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:556
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        30⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        \??\c:\windows\SysWOW64\netlogon.exe
        
        c:\windows\system32\netlogon.exe /Kl c:\windows\SysWOW64\netlogon.exe
        31⤵
        Executes dropped EXE
        
        PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\netlogon.exe

Filesize
167KB

MD5
c960c47de67d41e0c8a133b7ccaac11f

SHA1
4b6a125d51cadec5f47664321ae6a3d67d3093f2

SHA256
e3a486e4ba4108e5ea52c358a6e0cd0d10c9bf9e7e1ffcd8025e23d1ac220b16

SHA512
8e727700d3e5762c5a7741c187f3eb9e2e9fe6e947ba1c00dcd8258f2004694b390f3129c2132a2035bf717921caf699bfbbd8e9fca8531be501bea12f2c07a8

Download Submit
memory/220-36-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/556-60-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1392-44-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1484-54-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1504-40-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1664-22-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2040-48-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2328-62-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2332-34-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2536-32-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2560-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2636-30-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2768-46-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3024-20-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3056-50-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3192-42-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3204-28-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3264-38-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3276-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3568-24-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3620-26-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3744-12-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3744-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3764-10-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3868-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4036-4-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4044-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4256-18-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4528-58-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4840-6-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download