26df075aa765b16d25d56cd07d06d356eff21544b548c16e3591387151f2db52

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe
Size

711KB
MD5

6575395cffed8af89f7a8aad95ab22f7
SHA1

1c11e008c2ffb447e651913f6a321b6df7c1f0e0
SHA256

26df075aa765b16d25d56cd07d06d356eff21544b548c16e3591387151f2db52
SHA512

e844cbceb5d0a9e72fc88ec18103c31dbe079cf3495f842cac3df260317bf9b68b6385fabd581ea5ebc9d2d6f44382e0987a9c0e95033634740992ff8afe3ade
SSDEEP

12288:NmWhND9yJz+b1FcMLmp2ATTSsdNmWhND9yJz+b1FcMLmp2ATTSsdS:NmUNJyJqb1FcMap2ATT5rmUNJyJqb1FB

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

3968 svchost.exe

pid	process
3968	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\15796be6 = "\x10ž¾‹-TAx¼\u0090\u008f³šU’\x1c\u008fx‘ÎÏ}þ4¤ç>¬\x01bèÿúÝÒ\x11\x1bÚÏ\x12áéŠâ\x04ÂÕw\x13´B™Jk\x1f„\x1fYyl»\x13\u008d\x04\x01wÌy3R3)åÛ+ªÒ\\$ty«i\x03tÇ•9£óòêw)Õ¥:JBš\x1bÉÿ\x01™«áKÍ%‘œ+Üa\füº\x11…ïD\x7fì*Ó“Ú\x0f5J17\u008f\x1bûû\x1fùŠ\n\x1a\u009dj½yurÔI²Cs:u\x1a±\x191y{4\x13M\u0081\a·…/\x19/\x14™Ò!Z\x0fÊM%÷+òäÒClm5q\u009d’qË$Êrz#”m¹5KÃâª;4\u008d£:E¯¯‘«ÁÚü\tQIMù…\rziL\x17gZ¼cÓ\x1b\x0fÁd\a\x13)Äq“¥9çéÁ¬‰iÛí¥ú$i"	6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\15796be6 = "\x10ž¾‹-TAx¼\u0090\u008f³šU’\x1c\u008fx‘ÎÏ}þ4¤ç>¬\x01bèÿúÝÒ\x11\x1bÚÏ\x12áéŠâ\x04ÂÕw\x13´B™Jk\x1f„\x1fYyl»\x13\u008d\x04\x01wÌy3R3)åÛ+ªÒ\\$ty«i\x03tÇ•9£óòêw)Õ¥:JBš\x1bÉÿ\x01™«áKÍ%‘œ+Üa\füº\x11…ïD\x7fì*Ó“Ú\x0f5J17\u008f\x1bûû\x1fùŠ\n\x1a\u009dj½yurÔI²Cs:u\x1a±\x191y{4\x13M\u0081\a·…/\x19/\x14™Ò!Z\x0fÊM%÷+òäÒClm5q\u009d’qË$Êrz#”m¹5KÃâª;4\u008d£:E¯¯‘«ÁÚü\tQIMù…\rziL\x17gZ¼cÓ\x1b\x0fÁd\a\x13)Äq“¥9çéÁ¬‰iÛí¥ú$i"	svchost.exe

Drops file in Windows directory 2 IoCs

Processes:

6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\apppatch\svchost.exe	6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exesvchost.exe

pid	process
1820	6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe
1820	6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe
1820	6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe
1820	6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe
1820	6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe
1820	6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe
1820	6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe
1820	6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe
3968	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe

pid process

1820 6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe

description	pid	process	target process
PID 1820 wrote to memory of 3968	1820	6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe	svchost.exe
PID 1820 wrote to memory of 3968	1820	6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe	svchost.exe
PID 1820 wrote to memory of 3968	1820	6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6575395cffed8af89f7a8aad95ab22f7_JaffaCakes118.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
PID:3968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9O7X9C7J\login[1].htm
Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BF8.tmp
Filesize
61KB

MD5
9cdbe756fabf39a3c065970020862f44

SHA1
027976cd9fbc2868ea69f448bca394b107dcf6e1

SHA256
fd87dba7e560ab6953b1a3d50c1b1060194fff1af1820aa9a58e98924eadff64

SHA512
932ba6568624c3bb805a38da1af0de5cff962ea8b9010a7d52106e2acea70fad609915be28c16d8f686d995734707dfc87326def4f67462638ae68e62162cce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F13.tmp
Filesize
457B

MD5
27d3ea64ef0f44f8002f175950e3dedf

SHA1
45664f15cc95011360e6e0742ca70ca4443737c2

SHA256
e06beacdcc1ad1cfbe80aadb8a62d04c80c45e0e603c63b2e4313bfc32b7f50c

SHA512
24eff55499cfcfcad8ec8df6e7648b0f16cb2663b5f7d35d1a77caf8f5c5c08a4ad7eda6752113ecca448704e88d38035c43b77f48487954aae3d0ba607365bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F13.tmp
Filesize
457B

MD5
531ec87a0b2f9477a52d88b111d0d46a

SHA1
50a72e5752075309f91c062e0282a7e7cd1e751e

SHA256
4875b451859b1eb8d0d3b040b1bb8d654d212edb6d9c721cf0f4372129579385

SHA512
07994963fd76b31ef0ba2c7f418dcb3ee0290f6baca2d8ec63a6e6b861557b13fbc20d2f0a10a66f35c4d72d4d2c1920ac88b96174604f2f8856868912327da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADAA.tmp
Filesize
1KB

MD5
b65ce2997dfed58e7e2205120bcdb1e4

SHA1
785b60a73d76be93111fca8b96d67339cdc68312

SHA256
59e00925b667279dad58b042b4413ede6d8391180a5a968d0450b84a78383336

SHA512
80650388c8d0c448d08f25a1603b517f02f877d9f93a5e25072ac021c2356744757a70e0df322eeb8e02489e7540a1f3c7577cd1ce5c0876a5740f58d01ee682

Download Submit
C:\Users\Admin\AppData\Local\Temp\E90.tmp
Filesize
481B

MD5
1db994dbdc4bbd289f1ec8b0a43b0fb3

SHA1
db5608384a34882903cbc0af1057e03e99f560e3

SHA256
bd071967e37c7b73e19ac72aad8c936ab8f7ed646d158fb69192d487dff00f07

SHA512
0adfb37627c54530c262ea8145b05faedc936924f0544d9c93bf37e247953aed002374ae54d6c4f83915045b898e39588b003c52014bea59c12b067dce16b4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\F15.tmp
Filesize
42KB

MD5
d8c03a2567ec147becc99447d89164bf

SHA1
be4c7479bc448b1efe4992315662b7224503f8ae

SHA256
a823be41c2b0f92529a9f7387fe38bc7e416625004346ef81b2b8e66cfb9b13d

SHA512
6f8f6b48ea570f57dc388a0885965f8c9c4de05751c55847b1c0a5795eabbb6cacea17b3791742b9d944f55f4f32ae835bb6b9f7dc2dbf9b8932bf16dcf1e57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F15.tmp
Filesize
42KB

MD5
6bffb3960a109a712b8fe38231114a54

SHA1
c143e3a7cce60eafeaa59f846e9345be97333116

SHA256
cff7e9c858c0ba49fef4c7ad338ef73cb2397997ffe9fd41993a843219e1a91c

SHA512
d6eb94c280bf4ab4285634adf39d0e910313ba8b5df18b3f9be02982c43b2049c84738616067fd97915c8e1234ef6bdb3c99b53b0d0fdeb3991b1b6a8beeac3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF38.tmp
Filesize
593B

MD5
3b03d93d3487806337b5c6443ce7a62d

SHA1
93a7a790bb6348606cbdaf5daeaaf4ea8cf731d0

SHA256
7392749832c70fcfc2d440d7afc2f880000dd564930d95d634eb1199fa15de30

SHA512
770977beaeedafc5c98d0c32edc8c6c850f05e9f363bc9997fa73991646b02e5d40ceed0017b06caeab0db86423844bc4b0a9f0df2d8239230e423a7bfbd4a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF38.tmp
Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Windows\apppatch\svchost.exe
Filesize
711KB

MD5
c04d3a638c08431dadfb8c7a3375c2c0

SHA1
5deee307731789cea9c4e522ee50c61253b518cf

SHA256
5ec90072cb760bfc730dcb7236bf633d6cf14a1bcde875087303b4fc318df3d0

SHA512
2b60364eb2748473d40d7d56e3bf86f1f72bde070c5cc4b39356d18316a2a020ee3530719aa34ac8c354e68fc9acad5dbc5177d2409078426f3b4b63bed3fcfb

Download Submit
memory/1820-8-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3968-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-20-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-13-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-15-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-11-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-10-0x0000000002720000-0x00000000027C8000-memory.dmp

Filesize
672KB

Download
memory/3968-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-18-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-16-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3968-302-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download