Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:27
Static task
static1
Behavioral task
behavioral1
Sample
a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
a3886dbfde20c880148a39e8ef2e8fd6
-
SHA1
8a76bd9e0bfbf4b9d22c108a591be2708916347b
-
SHA256
80ed75a5132447c1be1c6f4c30ebc8e069294d7f6e62e3fcaf8802b8bbe23907
-
SHA512
b3a67b0563ad621b43eb29dc67165bf32bb0c34994733a6bfc9df0334bbe1b9377ad1e6bfcf406a784662a223c00ba8aa3c7bed2557d8b8c667cd86272e1d03c
-
SSDEEP
24576:NmUNJyJqb1FcMap2ATT5PmUNJyJqb1FcMap2ATT5PmUNJyJqb1FcMap2ATT58:NmV2ApPmV2ApPmV2Ap8
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1628 svchost.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\e1c121d6 = "÷oJÍ\\DÖÿÉQVd\\]\fkBÙ’Q‡Ôj¶\x7f±~ìD¥Yú¹lj²\n\x14¨M2\tz±j¦é@AššŠ‰Y¸|¢ÖÒ¹\x1až\x1aŒXÄùñ9&a!”ñMaêêº\x11Èâ\x11æÄ©¡º@¢9j\x1c$\u0081ùÐ\nª™Í!\x1e¢\x19ɲQD‚Tfð<âb±A\x1aí1QâqPñZ\x19êt\x14m°\x1díNzV2˜ q²à\x1aâ¸È0\"4™øÞ‚¹Jé@¼®=òbÜ<âÕõÂ\x12Zî\x11\u009d" a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\e1c121d6 = "÷oJÍ\\DÖÿÉQVd\\]\fkBÙ’Q‡Ôj¶\x7f±~ìD¥Yú¹lj²\n\x14¨M2\tz±j¦é@AššŠ‰Y¸|¢ÖÒ¹\x1až\x1aŒXÄùñ9&a!”ñMaêêº\x11Èâ\x11æÄ©¡º@¢9j\x1c$\u0081ùÐ\nª™Í!\x1e¢\x19ɲQD‚Tfð<âb±A\x1aí1QâqPñZ\x19êt\x14m°\x1díNzV2˜ q²à\x1aâ¸È0\"4™øÞ‚¹Jé@¼®=òbÜ<âÕõÂ\x12Zî\x11\u009d" svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe File opened for modification C:\Windows\apppatch\svchost.exe a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3704 a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe 3704 a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe 3704 a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe 3704 a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe 3704 a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe 3704 a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe 3704 a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe 3704 a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe 1628 svchost.exe 1628 svchost.exe 1628 svchost.exe 1628 svchost.exe 1628 svchost.exe 1628 svchost.exe 1628 svchost.exe 1628 svchost.exe 1628 svchost.exe 1628 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3704 a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3704 wrote to memory of 1628 3704 a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe 82 PID 3704 wrote to memory of 1628 3704 a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe 82 PID 3704 wrote to memory of 1628 3704 a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe"1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
PID:1628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5114035a8bc50067475d380b644cabd76
SHA136ddd43d15f1f8318feede04e3abb6df0373b1f2
SHA2565d04edadd37576aa7893bdc0bc3afba07812e7f0e9cb048aec613d7758a3ebb3
SHA5123a96aca772f4e79ea4e227840fc1767027b0ebc580373d27c6e88e15084bb3b566f9df82e4b688d02d3640d5bd4bfcf7a3e8813a8e4d75f1f57c2f746e1126cc