Analysis Overview
SHA256
2a25b5d94792b3a014f279dfabf23a59bcc3857a664a9ba790944d2ad48a86c9
Threat Level: Known bad
The file a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 18:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 18:29
Reported
2024-06-12 18:32
Platform
win7-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\444a6fdf = "ÿN7ýä\föÊ&oæëã‹R¯(&^-`\x05GB*EÞºWÒþ\x12\nr!Z’\x14¶JE\fjZ\x1ay\x1c\x12qá9Š\x119#\u00adBJZ’!º\x1crÑlžòz\x12ÚÊú‚$Šëéf²½‘>Ñ:\x13ñƒ2¡»RJIÂk²z\x1a9¡Jò!äBÂmd1âeýêRÚSRrôÔ„\u0081\n²Yî‘\x1et¢:å1\x13bÒ\x0e#Šùû\u00adŠþÉ’Ò~š‚¡ñ”\nòì|å’Z2š’ìÁ²\v$ÕyÚÂ)ü:$c<J.ŠÂ<úz]ªb\n¬œº4‹´3Ûz\x1aË&TüJšÛôjæ-¶ÔÚBöMqêºbTêTõb]Üú\x12~2Jœî¥j\x11Ñ\nœe*¢1™Ûú«\x1eUþ\u008d´\x1aJ\x1bŽ)b" | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\444a6fdf = "ÿN7ýä\föÊ&oæëã‹R¯(&^-`\x05GB*EÞºWÒþ\x12\nr!Z’\x14¶JE\fjZ\x1ay\x1c\x12qá9Š\x119#\u00adBJZ’!º\x1crÑlžòz\x12ÚÊú‚$Šëéf²½‘>Ñ:\x13ñƒ2¡»RJIÂk²z\x1a9¡Jò!äBÂmd1âeýêRÚSRrôÔ„\u0081\n²Yî‘\x1et¢:å1\x13bÒ\x0e#Šùû\u00adŠþÉ’Ò~š‚¡ñ”\nòì|å’Z2š’ìÁ²\v$ÕyÚÂ)ü:$c<J.ŠÂ<úz]ªb\n¬œº4‹´3Ûz\x1aË&TüJšÛôjæ-¶ÔÚBöMqêºbTêTõb]Üú\x12~2Jœî¥j\x11Ñ\nœe*¢1™Ûú«\x1eUþ\u008d´\x1aJ\x1bŽ)b" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1736 wrote to memory of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 1736 wrote to memory of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 1736 wrote to memory of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 1736 wrote to memory of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
Files
\Windows\AppPatch\svchost.exe
| MD5 | 1a4d3917e20b70fb7c26194deb0b40f9 |
| SHA1 | cef6429b496c0bb4dd481687aa44e34b710d9825 |
| SHA256 | 421763ec9ecbb49f320bb917e75f808e5a847b0208fca8db98a59eaf458d028f |
| SHA512 | e5f89b83d835e51cf908d4d792422da13142616a7ec6fc75881df944838424c794591c79d107b5f364b7e7942c33ec79ed9896e90f1183ed404861491986cc29 |
memory/1736-13-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1996-14-0x00000000021A0000-0x0000000002248000-memory.dmp
memory/1996-22-0x00000000021A0000-0x0000000002248000-memory.dmp
memory/1996-20-0x00000000021A0000-0x0000000002248000-memory.dmp
memory/1996-18-0x00000000021A0000-0x0000000002248000-memory.dmp
memory/1996-16-0x00000000021A0000-0x0000000002248000-memory.dmp
memory/1996-24-0x00000000021A0000-0x0000000002248000-memory.dmp
memory/1996-25-0x0000000002350000-0x0000000002406000-memory.dmp
memory/1996-27-0x0000000002350000-0x0000000002406000-memory.dmp
memory/1996-31-0x0000000002350000-0x0000000002406000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 18:29
Reported
2024-06-12 18:32
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3a4f0a00 = "–ÖúbQ€:Ä;ýѯv\x06\x14Y_\x15<§\u008f‚ß\rœ‡t+ž„²ßV¼Ì¨U.´/\x1bάŽ_–\x15£í”uÝ\x1c<$N¦\x1f\\..6†uu”.\v›pæ“–\f#ŸK,¾H†„à¿‹L\u009d[¾†\u009d´6ï”TÈF½-tÎã<¤“\x18H{$•¸çç…—^ <>ãÓ|wÖÔŽDÕ›.æVvý\x1cu{Uë|\x1c\fΞw\b»¯\x1c½f»?s7\v;]<\u008d\x0e\v}ÞlÅ\x13¬\x18¼\x18wö|ÀF¼SȇÔ-KŒh•äý\x1e~Ó—5lgn«U\bµƒÓF…ÎÐHÛÝŒåc«Ìä/T& ”^›õ#®–<ßæ0Õwp\x7fÆ„ÄtÔ_Ö€þ¬>Ó§P.\x14dMT\x1c=Ý" | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3a4f0a00 = "–ÖúbQ€:Ä;ýѯv\x06\x14Y_\x15<§\u008f‚ß\rœ‡t+ž„²ßV¼Ì¨U.´/\x1bάŽ_–\x15£í”uÝ\x1c<$N¦\x1f\\..6†uu”.\v›pæ“–\f#ŸK,¾H†„à¿‹L\u009d[¾†\u009d´6ï”TÈF½-tÎã<¤“\x18H{$•¸çç…—^ <>ãÓ|wÖÔŽDÕ›.æVvý\x1cu{Uë|\x1c\fΞw\b»¯\x1c½f»?s7\v;]<\u008d\x0e\v}ÞlÅ\x13¬\x18¼\x18wö|ÀF¼SȇÔ-KŒh•äý\x1e~Ó—5lgn«U\bµƒÓF…ÎÐHÛÝŒåc«Ìä/T& ”^›õ#®–<ßæ0Õwp\x7fÆ„ÄtÔ_Ö€þ¬>Ó§P.\x14dMT\x1c=Ý" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1356 wrote to memory of 3140 | N/A | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 1356 wrote to memory of 3140 | N/A | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 1356 wrote to memory of 3140 | N/A | C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1be9a0c2c85599235c3be2e4184607b_JaffaCakes118.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
Files
C:\Windows\apppatch\svchost.exe
| MD5 | 6cde2fbb3e7380533540f1e7c3717c34 |
| SHA1 | c5f7632a1a4504a233b900fe1dedc1233f0f5ba4 |
| SHA256 | 1e95ca2377b67497e3ae350a0bffb72e3173a12a9fe67a685ffa1f701500e9f0 |
| SHA512 | c0e8ba27c8b39223ff7e7eb02f265f971470340ed80147651ec5511e59fac1f37e9112636f95563cf990c66ddee92b5501977b869a460c84e93504af1ab45c0a |
memory/1356-9-0x0000000000400000-0x000000000045F000-memory.dmp
memory/3140-10-0x0000000002940000-0x00000000029E8000-memory.dmp
memory/3140-11-0x0000000002B30000-0x0000000002BE6000-memory.dmp
memory/3140-15-0x0000000002B30000-0x0000000002BE6000-memory.dmp
memory/3140-13-0x0000000002B30000-0x0000000002BE6000-memory.dmp