Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 23:30
Static task
static1
Behavioral task
behavioral1
Sample
a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
a71d3613016780d00c82f4fb96975956
-
SHA1
43841dc474f6da972b5a6be8705fcaa942084836
-
SHA256
5be2fab6e4c7b734dff715f7a02bf69e00703f57819b71c6758d259469fa77f3
-
SHA512
4ba41c576dc7adad058bdda870eda0a13380a8151ddb88992d5654256fc5235711acc8c1e56bec55417036b18716e8b9fcd28a35c8b4615f3ca9c32ba547643e
-
SSDEEP
24576:vmUNJyJqb1FcMap2ATT5qmUNJyJqb1FcMap2ATT5qmUNJyJqb1FcMap2ATT58:vmV2ApqmV2ApqmV2Ap8
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4488 svchost.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
a71d3613016780d00c82f4fb96975956_JaffaCakes118.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\f189346 = "A—¿yf7\\I›uíœmÁ¸ŸVã¯\x10éÿ7aÌ£ŠYÁ\vóNmô3ÞÚØ(¼Tq\u009d7pÏ\x15ºd,ýî¿â\v÷¸\x02‘±8ÎY‰Èäd¯Î\x16ãéõiç*y\tm÷ìÇ\u0081Tî\x16S.fÇãî€nˆ(¢Î\x1c^ý0ªf\x0fØ\bp[’sÈpÞ½\x7f¯y¤'^ÐÑôÇÁH\x7fÓ\x1b/&2‰€iã¶\x1aÐ:‹üm8ǘ(\x06\bS¥\u00admI\x14Ú’¤´\u0081ǥǽ*Ì'«,,–Us\x14AIç2êþª8Ç@¸\x0fÚÐH2\x06fº=²\x7f\x15m{'^õ\"S^Ðã\x0fU\u0081:;\x14z¯’€ë–7!\u0081\x7fׯH\x14p\x1c\u00adCI\x0fÛ\u00adJ:UȱêÁ2Á+m‹z*Æ\x14¢U\x15¿^Û\u008f(" a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\f189346 = "A—¿yf7\\I›uíœmÁ¸ŸVã¯\x10éÿ7aÌ£ŠYÁ\vóNmô3ÞÚØ(¼Tq\u009d7pÏ\x15ºd,ýî¿â\v÷¸\x02‘±8ÎY‰Èäd¯Î\x16ãéõiç*y\tm÷ìÇ\u0081Tî\x16S.fÇãî€nˆ(¢Î\x1c^ý0ªf\x0fØ\bp[’sÈpÞ½\x7f¯y¤'^ÐÑôÇÁH\x7fÓ\x1b/&2‰€iã¶\x1aÐ:‹üm8ǘ(\x06\bS¥\u00admI\x14Ú’¤´\u0081ǥǽ*Ì'«,,–Us\x14AIç2êþª8Ç@¸\x0fÚÐH2\x06fº=²\x7f\x15m{'^õ\"S^Ðã\x0fU\u0081:;\x14z¯’€ë–7!\u0081\x7fׯH\x14p\x1c\u00adCI\x0fÛ\u00adJ:UȱêÁ2Á+m‹z*Æ\x14¢U\x15¿^Û\u008f(" svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
a71d3613016780d00c82f4fb96975956_JaffaCakes118.exedescription ioc process File created C:\Windows\apppatch\svchost.exe a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe File opened for modification C:\Windows\apppatch\svchost.exe a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
a71d3613016780d00c82f4fb96975956_JaffaCakes118.exesvchost.exepid process 4904 a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe 4904 a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe 4904 a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe 4904 a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe 4904 a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe 4904 a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe 4904 a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe 4904 a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe 4488 svchost.exe 4488 svchost.exe 4488 svchost.exe 4488 svchost.exe 4488 svchost.exe 4488 svchost.exe 4488 svchost.exe 4488 svchost.exe 4488 svchost.exe 4488 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
a71d3613016780d00c82f4fb96975956_JaffaCakes118.exepid process 4904 a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a71d3613016780d00c82f4fb96975956_JaffaCakes118.exedescription pid process target process PID 4904 wrote to memory of 4488 4904 a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe svchost.exe PID 4904 wrote to memory of 4488 4904 a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe svchost.exe PID 4904 wrote to memory of 4488 4904 a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a71d3613016780d00c82f4fb96975956_JaffaCakes118.exe"1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
PID:4488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5b716580790de5aaf1062f17ef449c6a7
SHA1b820837cbae65f0e4926f7d5f459d19e35f322d1
SHA2562925c975ed4919dd564e6a91ad922877c083a55a8d5ab3a035c3e0a39efdd08b
SHA5123928ff0e39adec905218d427a66c8ef1ce81cd2d20600018795e87a9571c9a6038e4abd97069836fe65e6b184d68e78d2985343c71108b509a8f2026ace65a0b