083f2d70fbd1a5f5290660c128124798e94c641fb54a4f2611a9d7edd64a5721

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
Size

4.9MB
MD5

f71924ce90b3e49a4e586dfcad1cdfa8
SHA1

cff90e897e6d544178c5a3f291118b3544ee8615
SHA256

083f2d70fbd1a5f5290660c128124798e94c641fb54a4f2611a9d7edd64a5721
SHA512

b588cb26f559ca8586811d132c60048fda6551b90202e5853dbd86820f0e6836ac0b77ba12a051ff435ca4a8d5ab7938cad6104050a3f4ab6be285f642ed6c6f
SSDEEP

98304:Bis3mjKl5B3UjHXKJlijcFK4eqsWUGdmHgUOdWopV8BaFn9Cu4FK9zAUjd:f3Vl5VUDKJPUmBUi2aFnMu4K8ud

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\order list\\file.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\order list\\file.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2172 set thread context of 2724	2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exef71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe

pid	Process
2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
2724	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
2724	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
2724	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
2724	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
2724	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exef71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
Token: SeDebugPrivilege	2724	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
Token: 33	2724	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2724	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.execmd.exewscript.execmd.exef71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.execmd.exewscript.execmd.exe

description	pid	Process	procid_target
PID 2172 wrote to memory of 2516	2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	28
PID 2172 wrote to memory of 2516	2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	28
PID 2172 wrote to memory of 2516	2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	28
PID 2172 wrote to memory of 2516	2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	28
PID 2516 wrote to memory of 2604	2516	cmd.exe	30
PID 2516 wrote to memory of 2604	2516	cmd.exe	30
PID 2516 wrote to memory of 2604	2516	cmd.exe	30
PID 2516 wrote to memory of 2604	2516	cmd.exe	30
PID 2172 wrote to memory of 2724	2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	31
PID 2172 wrote to memory of 2724	2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	31
PID 2172 wrote to memory of 2724	2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	31
PID 2172 wrote to memory of 2724	2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	31
PID 2172 wrote to memory of 2724	2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	31
PID 2172 wrote to memory of 2724	2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	31
PID 2604 wrote to memory of 2688	2604	wscript.exe	32
PID 2604 wrote to memory of 2688	2604	wscript.exe	32
PID 2604 wrote to memory of 2688	2604	wscript.exe	32
PID 2604 wrote to memory of 2688	2604	wscript.exe	32
PID 2688 wrote to memory of 2852	2688	cmd.exe	34
PID 2688 wrote to memory of 2852	2688	cmd.exe	34
PID 2688 wrote to memory of 2852	2688	cmd.exe	34
PID 2688 wrote to memory of 2852	2688	cmd.exe	34
PID 2172 wrote to memory of 2724	2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	31
PID 2172 wrote to memory of 2724	2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	31
PID 2172 wrote to memory of 2724	2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	31
PID 2172 wrote to memory of 2724	2172	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	31
PID 2724 wrote to memory of 1700	2724	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	35
PID 2724 wrote to memory of 1700	2724	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	35
PID 2724 wrote to memory of 1700	2724	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	35
PID 2724 wrote to memory of 1700	2724	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	35
PID 1700 wrote to memory of 2136	1700	cmd.exe	37
PID 1700 wrote to memory of 2136	1700	cmd.exe	37
PID 1700 wrote to memory of 2136	1700	cmd.exe	37
PID 1700 wrote to memory of 2136	1700	cmd.exe	37
PID 2136 wrote to memory of 528	2136	wscript.exe	38
PID 2136 wrote to memory of 528	2136	wscript.exe	38
PID 2136 wrote to memory of 528	2136	wscript.exe	38
PID 2136 wrote to memory of 528	2136	wscript.exe	38
PID 528 wrote to memory of 680	528	cmd.exe	40
PID 528 wrote to memory of 680	528	cmd.exe	40
PID 528 wrote to memory of 680	528	cmd.exe	40
PID 528 wrote to memory of 680	528	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\order list\mata.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\order list\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\order list\mata2.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\order list\mata2.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\order list\file.exe" /f
        5⤵
        Modifies WinLogon for persistence
        
        PID:2852
- C:\Users\Admin\AppData\Local\Temp\f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\order list\mata.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\wscript.exe
      wscript.exe "C:\Users\Admin\AppData\Local\Temp\order list\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\order list\mata2.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\order list\mata2.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:528
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\order list\file.exe" /f
        6⤵
        Modifies WinLogon for persistence
        
        PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\order list\file.exe

Filesize
64KB

MD5
5c373b3edcabc41fdfd90f771f08fba1

SHA1
ad1d6717e14a03a05df36cc990961b377b8d2435

SHA256
3d6b91c72efc62ee66f4b7869732f848c1049e3559cdbd3f107643d385e07f17

SHA512
eb5e4be6ab3f0f8af341a3c858afb09c5f7f293a02b4f81937eb86fe0135546c91ee68a8ba9c70463fc20964c0cfbebee3e8afdf04269411e56dcff4a76d2773

Download Submit
C:\Users\Admin\AppData\Local\Temp\order list\file.exe

Filesize
4.9MB

MD5
f71924ce90b3e49a4e586dfcad1cdfa8

SHA1
cff90e897e6d544178c5a3f291118b3544ee8615

SHA256
083f2d70fbd1a5f5290660c128124798e94c641fb54a4f2611a9d7edd64a5721

SHA512
b588cb26f559ca8586811d132c60048fda6551b90202e5853dbd86820f0e6836ac0b77ba12a051ff435ca4a8d5ab7938cad6104050a3f4ab6be285f642ed6c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\order list\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\order list\mata.bat

Filesize
70B

MD5
12fb588729977f17add4e0f761889009

SHA1
483c1b1bd0548fb0abfc3316cf0236410aa5f683

SHA256
03b7339514489ed2e17e632865de4d9c91047ae8db0d4d658fd554ee2952381e

SHA512
c3422674f565abbb23685d0024dc8fa1a701a8b4d74c8b20b9c0cba6427f35a2211d7d4dbb0e2ed144615274d51b84af8f559e18f137c7b0ee4cbbe0c51873c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\order list\mata2.bat

Filesize
246B

MD5
d1c2f44434eddee4c26c3555a0eee550

SHA1
986a3a4c06082b3327c022b7113ac371d8910c8a

SHA256
e4f1eb08866ac53220f8b5fa27e7524df70317d41b26dcab4513436ac62f81a2

SHA512
947bdc541dcd94770ab2258c618a4fa56e83e34b67928766d5fc042b817a4e5fd270bf9385a1a4e1c4b82683ee7f6339786922d4d9ab5b576027514ddbb7eb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
memory/2172-0-0x0000000074FE0000-0x000000007558B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-2-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/2172-1-0x0000000074FE0000-0x000000007558B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-52-0x0000000074FE0000-0x000000007558B000-memory.dmp

Filesize
5.7MB

Download
memory/2724-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2724-24-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2724-27-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2724-29-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2724-31-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2724-32-0x0000000074FE0000-0x000000007558B000-memory.dmp

Filesize
5.7MB

Download
memory/2724-33-0x00000000028E0000-0x0000000002920000-memory.dmp

Filesize
256KB

Download
memory/2724-34-0x0000000074FE0000-0x000000007558B000-memory.dmp

Filesize
5.7MB

Download
memory/2724-23-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2724-22-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2724-17-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2724-15-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2724-53-0x0000000074FE0000-0x000000007558B000-memory.dmp

Filesize
5.7MB

Download