6eeb986b968e6bf66a513c8d4e2f882eb133a5619ee059641549a5d91c0c8ac6

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

faf47c3f8f41238d16768aa22637f597_JaffaCakes118.exe
Size

222KB
MD5

faf47c3f8f41238d16768aa22637f597
SHA1

bda2ae8a56454619890bc335b717f68bbf22f99b
SHA256

6eeb986b968e6bf66a513c8d4e2f882eb133a5619ee059641549a5d91c0c8ac6
SHA512

8a03f31238b81cf74027df9b69aebf98f9ea0bd8e9a5403341791abb6ea66af19cdcef4676aeacacf5a4454f28e80cb0a9d405301814adb4033368786686574a
SSDEEP

6144:Ug6oiYyQfADzRtqXEsZYUmDvvI0Hw7r6aH0bY:f6oUQkSXEsZgH1Hir6aUE

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
440	WINL0G0N.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\WINL0G0N.EXE /nosplash"	faf47c3f8f41238d16768aa22637f597_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\WINL0G0N.EXE	faf47c3f8f41238d16768aa22637f597_JaffaCakes118.exe
File opened for modification	C:\Windows\WINL0G0N.EXE	faf47c3f8f41238d16768aa22637f597_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 440	1892	faf47c3f8f41238d16768aa22637f597_JaffaCakes118.exe	99
PID 1892 wrote to memory of 440	1892	faf47c3f8f41238d16768aa22637f597_JaffaCakes118.exe	99
PID 1892 wrote to memory of 440	1892	faf47c3f8f41238d16768aa22637f597_JaffaCakes118.exe	99

C:\Users\Admin\AppData\Local\Temp\faf47c3f8f41238d16768aa22637f597_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\faf47c3f8f41238d16768aa22637f597_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\WINL0G0N.EXE
  C:\Windows\WINL0G0N.EXE
  2⤵
  - Executes dropped EXE
  PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\WINL0G0N.EXE

Filesize
222KB

MD5
faf47c3f8f41238d16768aa22637f597

SHA1
bda2ae8a56454619890bc335b717f68bbf22f99b

SHA256
6eeb986b968e6bf66a513c8d4e2f882eb133a5619ee059641549a5d91c0c8ac6

SHA512
8a03f31238b81cf74027df9b69aebf98f9ea0bd8e9a5403341791abb6ea66af19cdcef4676aeacacf5a4454f28e80cb0a9d405301814adb4033368786686574a

Download Submit
memory/440-14-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/440-15-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/440-16-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/440-17-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/440-18-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1892-2-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1892-3-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1892-7-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1892-8-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1892-1-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1892-12-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1892-0-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1892-19-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads