Analysis Overview
SHA256
7914d880cb0d0f160aa3b286f056709fc6b2bde4219695fb28494731a0c16b27
Threat Level: Known bad
The file e365cc22f6556fe0517e3ad944892096_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 22:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 22:09
Reported
2024-04-06 22:12
Platform
win7-20240221-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "userinit.exe,C:\\Windows\\system32\\ntos.exe," | C:\Users\Admin\AppData\Local\Temp\e365cc22f6556fe0517e3ad944892096_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ntos.exe | C:\Users\Admin\AppData\Local\Temp\e365cc22f6556fe0517e3ad944892096_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\ntos.exe | C:\Users\Admin\AppData\Local\Temp\e365cc22f6556fe0517e3ad944892096_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e365cc22f6556fe0517e3ad944892096_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e365cc22f6556fe0517e3ad944892096_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e365cc22f6556fe0517e3ad944892096_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e365cc22f6556fe0517e3ad944892096_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e365cc22f6556fe0517e3ad944892096_JaffaCakes118.exe"
Network
Files
memory/2008-0-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2008-4-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2008-3-0x0000000000400000-0x0000000000425000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 22:09
Reported
2024-04-06 22:12
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\ntos.exe," | C:\Users\Admin\AppData\Local\Temp\e365cc22f6556fe0517e3ad944892096_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ntos.exe | C:\Users\Admin\AppData\Local\Temp\e365cc22f6556fe0517e3ad944892096_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\ntos.exe | C:\Users\Admin\AppData\Local\Temp\e365cc22f6556fe0517e3ad944892096_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e365cc22f6556fe0517e3ad944892096_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e365cc22f6556fe0517e3ad944892096_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e365cc22f6556fe0517e3ad944892096_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e365cc22f6556fe0517e3ad944892096_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e365cc22f6556fe0517e3ad944892096_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Users\Admin\AppData\Local\Temp\e365cc22f6556fe0517e3ad944892096_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e365cc22f6556fe0517e3ad944892096_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
memory/2760-0-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2760-1-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2760-2-0x0000000000400000-0x0000000000425000-memory.dmp
memory/616-11-0x0000000000400000-0x0000000000425000-memory.dmp
memory/616-16-0x00000000213D0000-0x00000000213F5000-memory.dmp
memory/616-21-0x0000000021400000-0x0000000021425000-memory.dmp
memory/616-26-0x0000000021430000-0x0000000021455000-memory.dmp
memory/616-31-0x0000000021460000-0x0000000021485000-memory.dmp
memory/616-36-0x0000000021490000-0x00000000214B5000-memory.dmp
memory/616-41-0x00000000214C0000-0x00000000214E5000-memory.dmp
memory/616-46-0x00000000214F0000-0x0000000021515000-memory.dmp
memory/616-51-0x0000000021520000-0x0000000021545000-memory.dmp
memory/616-56-0x0000000021550000-0x0000000021575000-memory.dmp
memory/616-61-0x0000000021580000-0x00000000215A5000-memory.dmp
memory/616-66-0x00000000215B0000-0x00000000215D5000-memory.dmp
memory/616-71-0x00000000215E0000-0x0000000021605000-memory.dmp
memory/616-76-0x0000000021610000-0x0000000021635000-memory.dmp
memory/616-81-0x0000000021640000-0x0000000021665000-memory.dmp
memory/616-86-0x0000000021670000-0x0000000021695000-memory.dmp
memory/616-91-0x00000000216A0000-0x00000000216C5000-memory.dmp
memory/616-96-0x00000000216D0000-0x00000000216F5000-memory.dmp
memory/616-101-0x0000000021700000-0x0000000021725000-memory.dmp
memory/616-106-0x0000000021730000-0x0000000021755000-memory.dmp
memory/616-111-0x0000000021760000-0x0000000021785000-memory.dmp
memory/616-116-0x0000000021790000-0x00000000217B5000-memory.dmp
memory/616-121-0x00000000217C0000-0x00000000217E5000-memory.dmp
memory/616-126-0x00000000217F0000-0x0000000021815000-memory.dmp
memory/616-131-0x0000000021820000-0x0000000021845000-memory.dmp
memory/616-136-0x0000000021850000-0x0000000021875000-memory.dmp
memory/616-141-0x0000000021880000-0x00000000218A5000-memory.dmp
memory/616-146-0x00000000218B0000-0x00000000218D5000-memory.dmp
memory/616-151-0x00000000218E0000-0x0000000021905000-memory.dmp
memory/616-156-0x0000000021910000-0x0000000021935000-memory.dmp
memory/616-161-0x0000000021940000-0x0000000021965000-memory.dmp
memory/616-166-0x0000000021970000-0x0000000021995000-memory.dmp
memory/616-171-0x00000000219A0000-0x00000000219C5000-memory.dmp
memory/616-176-0x00000000219D0000-0x00000000219F5000-memory.dmp
memory/616-181-0x0000000021A00000-0x0000000021A25000-memory.dmp
memory/616-186-0x0000000021A30000-0x0000000021A55000-memory.dmp
memory/616-191-0x0000000021A60000-0x0000000021A85000-memory.dmp
memory/616-196-0x0000000021A90000-0x0000000021AB5000-memory.dmp
memory/616-201-0x0000000021AC0000-0x0000000021AE5000-memory.dmp
memory/616-206-0x0000000021AF0000-0x0000000021B15000-memory.dmp
memory/616-211-0x0000000021B20000-0x0000000021B45000-memory.dmp
memory/616-216-0x0000000021B50000-0x0000000021B75000-memory.dmp
memory/616-221-0x0000000021B80000-0x0000000021BA5000-memory.dmp
memory/616-226-0x0000000021BB0000-0x0000000021BD5000-memory.dmp
memory/616-231-0x0000000021BE0000-0x0000000021C05000-memory.dmp
memory/616-236-0x0000000021C10000-0x0000000021C35000-memory.dmp
memory/616-241-0x0000000021C40000-0x0000000021C65000-memory.dmp
memory/616-246-0x0000000021C70000-0x0000000021C95000-memory.dmp
memory/616-251-0x0000000021CA0000-0x0000000021CC5000-memory.dmp
memory/616-256-0x0000000021CD0000-0x0000000021CF5000-memory.dmp
memory/616-261-0x0000000021D00000-0x0000000021D25000-memory.dmp
memory/616-266-0x0000000021D30000-0x0000000021D55000-memory.dmp
memory/616-271-0x0000000021D60000-0x0000000021D85000-memory.dmp
memory/616-276-0x0000000021D90000-0x0000000021DB5000-memory.dmp
memory/616-281-0x0000000021DC0000-0x0000000021DE5000-memory.dmp
memory/616-286-0x0000000021DF0000-0x0000000021E15000-memory.dmp
memory/616-291-0x0000000021E20000-0x0000000021E45000-memory.dmp
memory/616-296-0x0000000021E50000-0x0000000021E75000-memory.dmp
memory/616-301-0x0000000021E80000-0x0000000021EA5000-memory.dmp
memory/616-306-0x0000000021EB0000-0x0000000021ED5000-memory.dmp
memory/616-311-0x0000000021EE0000-0x0000000021F05000-memory.dmp
memory/616-316-0x0000000021F10000-0x0000000021F35000-memory.dmp
memory/616-321-0x0000000021F40000-0x0000000021F65000-memory.dmp