2470e70583d750270b553d8d61e6a10831fb3dfcc9b5fc702fbc9a32b1407667

Analysis

max time kernel
6s
max time network
9s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 12:14

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

e7700dbda55cb2f9b9e17d61e1c3014a_JaffaCakes118.exe
Size

78KB
MD5

e7700dbda55cb2f9b9e17d61e1c3014a
SHA1

0a2f8c076d2610ee28e95fa0638bed59d444e002
SHA256

2470e70583d750270b553d8d61e6a10831fb3dfcc9b5fc702fbc9a32b1407667
SHA512

05a9a34d3a092bfa8d4d788cf35d7fe63199755cb060b976d8ca86f3afb06c7877a3ea284bd8ae37824bcaea063b180a76aacdd8f84fcd468000b1b2e68f32d4
SSDEEP

1536:cWG/FI34wTFgZ2h93DS8EH7oHzNMLtKXhhRcmU1DpgOAoKJlIK:qI34wTFTh93k7oHCLcvRspBAoKJlIK

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\slgocck.dll	e7700dbda55cb2f9b9e17d61e1c3014a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1712	e7700dbda55cb2f9b9e17d61e1c3014a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e7700dbda55cb2f9b9e17d61e1c3014a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e7700dbda55cb2f9b9e17d61e1c3014a_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:3036

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1712-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1712-1-0x0000000001000000-0x0000000001016000-memory.dmp

Filesize
88KB

Download
memory/1712-0-0x0000000001000000-0x0000000001016000-memory.dmp

Filesize
88KB

Download
memory/1712-3-0x0000000001000000-0x0000000001016000-memory.dmp

Filesize
88KB

Download
memory/2676-7-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3036-6-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download