aab8eaff9af3ac90b28e4e613db329fb6817918ea046c3fe44349ef5a86d4296

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19/06/2024, 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
Size

568KB
MD5

00d55a0adfb2ee1394ddb368be5c7d24
SHA1

42c1ae2858be19c3aaf58f1a5ceff090f092570c
SHA256

aab8eaff9af3ac90b28e4e613db329fb6817918ea046c3fe44349ef5a86d4296
SHA512

a11c51b17d0a6cad3974dd6f579b40700b2ace608c02cd7d35ab6509be5157ef00ccf46cf623291e93d40b2f91f7761eb79bd6cd8b234fa6da232e0e649badad
SSDEEP

6144:SEkNbZcQblOeRpBJ+CGGDKLe8Wiyq+MsbzWqqKUzq7Cm6oB3U6Mcd7yg2FQ6F:SEkNbZHbbz4kKdsbzWqVUzCgQdB2Sq

Score

10^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\""	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\""	winlogon.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2192	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2696	winlogon.exe
1980	winlogon.exe

Loads dropped DLL 3 IoCs

pid	Process
2100	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
2100	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
2696	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\""	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\""	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\""	winlogon.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2964 set thread context of 2100	2964	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	28
PID 2696 set thread context of 1980	2696	winlogon.exe	33

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2964	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
2100	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
2696	winlogon.exe
1980	winlogon.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2100	2964	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2100	2964	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2100	2964	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2100	2964	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2100	2964	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2100	2964	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2100	2964	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2100	2964	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2100	2964	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2100	2964	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	28
PID 2100 wrote to memory of 2192	2100	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2192	2100	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2192	2100	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2192	2100	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2696	2100	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	32
PID 2100 wrote to memory of 2696	2100	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	32
PID 2100 wrote to memory of 2696	2100	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	32
PID 2100 wrote to memory of 2696	2100	00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe	32
PID 2696 wrote to memory of 1980	2696	winlogon.exe	33
PID 2696 wrote to memory of 1980	2696	winlogon.exe	33
PID 2696 wrote to memory of 1980	2696	winlogon.exe	33
PID 2696 wrote to memory of 1980	2696	winlogon.exe	33
PID 2696 wrote to memory of 1980	2696	winlogon.exe	33
PID 2696 wrote to memory of 1980	2696	winlogon.exe	33
PID 2696 wrote to memory of 1980	2696	winlogon.exe	33
PID 2696 wrote to memory of 1980	2696	winlogon.exe	33
PID 2696 wrote to memory of 1980	2696	winlogon.exe	33
PID 2696 wrote to memory of 1980	2696	winlogon.exe	33

C:\Users\Admin\AppData\Local\Temp\00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\winlogon.exe" CityScape Enable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2192
- - C:\Users\Admin\AppData\Roaming\winlogon.exe
    /d C:\Users\Admin\AppData\Local\Temp\00d55a0adfb2ee1394ddb368be5c7d24_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Users\Admin\AppData\Roaming\winlogon.exe
      "C:\Users\Admin\AppData\Roaming\winlogon.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
568KB

MD5
e409473c2c231c1cf0a5724736c2e344

SHA1
6fca90418420071f46a9bd4035a1d591439937c4

SHA256
52d62d8bab76a8cb853052d4e31f6dcd8c8d17c8a713e960fb970937ae965033

SHA512
688e4c21de78d50c11a54ddbf89058e770f0f74fc15a11ae2e446d19b42c77007ee8558460ff11fc58b8e01dde9aad66166df908c31989e9cf619b69ce4ab2c8

Download Submit
memory/1980-37-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-36-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-40-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-39-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-30-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-31-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-38-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-34-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-32-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-35-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-33-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2100-2-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2100-8-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2100-18-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2100-7-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads