Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 18:29
Static task
static1
Behavioral task
behavioral1
Sample
a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
a1be9a0c2c85599235c3be2e4184607b
-
SHA1
f227faf68af52b92f52b06a0bcd854e496178b79
-
SHA256
2a25b5d94792b3a014f279dfabf23a59bcc3857a664a9ba790944d2ad48a86c9
-
SHA512
a1d3df5142b0866702ed1267afe4382495d13893c7352f2a4bb327cd98608a0056ac87bc4e9c5f6e66502fd1328d7585f1785ebf1da9432cb19e6ea62107da7e
-
SSDEEP
24576:CmUNJyJqb1FcMap2ATT5rmUNJyJqb1FcMap6mUNJyJqb1FcMap2ATT5rmUNJyJqG:CmV2AprmV6mV2AprmV6mV2AprmVG
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1996 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 1736 a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe 1736 a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\444a6fdf = "ÿN7ýä\föÊ&oæëã‹R¯(&^-`\x05GB*EÞºWÒþ\x12\nr!Z’\x14¶JE\fjZ\x1ay\x1c\x12qá9Š\x119#\u00adBJZ’!º\x1crÑlžòz\x12ÚÊú‚$Šëéf²½‘>Ñ:\x13ñƒ2¡»RJIÂk²z\x1a9¡Jò!äBÂmd1âeýêRÚSRrôÔ„\u0081\n²Yî‘\x1et¢:å1\x13bÒ\x0e#Šùû\u00adŠþÉ’Ò~š‚¡ñ”\nòì|å’Z2š’ìÁ²\v$ÕyÚÂ)ü:$c<J.ŠÂ<úz]ªb\n¬œº4‹´3Ûz\x1aË&TüJšÛôjæ-¶ÔÚBöMqêºbTêTõb]Üú\x12~2Jœî¥j\x11Ñ\nœe*¢1™Ûú«\x1eUþ\u008d´\x1aJ\x1bŽ)b" a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\444a6fdf = "ÿN7ýä\föÊ&oæëã‹R¯(&^-`\x05GB*EÞºWÒþ\x12\nr!Z’\x14¶JE\fjZ\x1ay\x1c\x12qá9Š\x119#\u00adBJZ’!º\x1crÑlžòz\x12ÚÊú‚$Šëéf²½‘>Ñ:\x13ñƒ2¡»RJIÂk²z\x1a9¡Jò!äBÂmd1âeýêRÚSRrôÔ„\u0081\n²Yî‘\x1et¢:å1\x13bÒ\x0e#Šùû\u00adŠþÉ’Ò~š‚¡ñ”\nòì|å’Z2š’ìÁ²\v$ÕyÚÂ)ü:$c<J.ŠÂ<úz]ªb\n¬œº4‹´3Ûz\x1aË&TüJšÛôjæ-¶ÔÚBöMqêºbTêTõb]Üú\x12~2Jœî¥j\x11Ñ\nœe*¢1™Ûú«\x1eUþ\u008d´\x1aJ\x1bŽ)b" svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe File opened for modification C:\Windows\apppatch\svchost.exe a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1736 a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe 1736 a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe 1736 a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe 1736 a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1736 a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1736 wrote to memory of 1996 1736 a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe 28 PID 1736 wrote to memory of 1996 1736 a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe 28 PID 1736 wrote to memory of 1996 1736 a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe 28 PID 1736 wrote to memory of 1996 1736 a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
PID:1996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD51a4d3917e20b70fb7c26194deb0b40f9
SHA1cef6429b496c0bb4dd481687aa44e34b710d9825
SHA256421763ec9ecbb49f320bb917e75f808e5a847b0208fca8db98a59eaf458d028f
SHA512e5f89b83d835e51cf908d4d792422da13142616a7ec6fc75881df944838424c794591c79d107b5f364b7e7942c33ec79ed9896e90f1183ed404861491986cc29