541324e3063261784a6c5b181192ce6b6aa4b3b7c3cfba2ffa4c7814d3b7cde4

Analysis

max time kernel
146s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06a1197a7052f9b6faae4475b0d1cdce_JaffaCakes118.exe
Size

104KB
MD5

06a1197a7052f9b6faae4475b0d1cdce
SHA1

8dcbbab72925b63e9c1506352d214c70e8d57058
SHA256

541324e3063261784a6c5b181192ce6b6aa4b3b7c3cfba2ffa4c7814d3b7cde4
SHA512

7875612573823a7b2bd41cbcd63c0d960d8b07e2813800eebe751303d16aaf8453507c99ba7d5149b65c9aa6df1df64f65e266ca1603a1f00e6a6c3fa38050aa
SSDEEP

1536:m2k1Ieaeu/kSBuxzZRD4Ys/gFvBYXniNtUUoBrghQbOdDlgTVpgQC:deah8SBAVRDQ/yv2Xe+UoeCbOLgnC

Score

8^/10

persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-BAFA-00BB00B6017B}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-BAFA-00BB00B6017B}\StubPath = "C:\\Windows\\winlogon.exe"	winlogon.exe

Executes dropped EXE 1 IoCs

pid	Process
2900	winlogon.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1856-0-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/files/0x000a000000014288-9.dat	upx
behavioral1/memory/2900-12-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/1856-24-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2900-25-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Logon Application = "C:\\Windows\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\Windows Logon Application = "C:\\Windows\\winlogon.exe"	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kernel.bat	winlogon.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\winlogon.exe	06a1197a7052f9b6faae4475b0d1cdce_JaffaCakes118.exe
File opened for modification	C:\Windows\winlogon.exe	06a1197a7052f9b6faae4475b0d1cdce_JaffaCakes118.exe
File opened for modification	C:\Windows\winlogon.exe	winlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe
2900	winlogon.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1856	06a1197a7052f9b6faae4475b0d1cdce_JaffaCakes118.exe
2900	winlogon.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2900	1856	06a1197a7052f9b6faae4475b0d1cdce_JaffaCakes118.exe	28
PID 1856 wrote to memory of 2900	1856	06a1197a7052f9b6faae4475b0d1cdce_JaffaCakes118.exe	28
PID 1856 wrote to memory of 2900	1856	06a1197a7052f9b6faae4475b0d1cdce_JaffaCakes118.exe	28
PID 1856 wrote to memory of 2900	1856	06a1197a7052f9b6faae4475b0d1cdce_JaffaCakes118.exe	28
PID 2900 wrote to memory of 2408	2900	winlogon.exe	29
PID 2900 wrote to memory of 2408	2900	winlogon.exe	29
PID 2900 wrote to memory of 2408	2900	winlogon.exe	29
PID 2900 wrote to memory of 2408	2900	winlogon.exe	29

C:\Users\Admin\AppData\Local\Temp\06a1197a7052f9b6faae4475b0d1cdce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06a1197a7052f9b6faae4475b0d1cdce_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\winlogon.exe
  C:\Windows\winlogon.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Kernel.bat
    3⤵
    PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kernel.bat

Filesize
7KB

MD5
92b8a611141c968aeb14bbbf401773c8

SHA1
6405cbd5c79816a18c718928cc7daa2892e0debf

SHA256
7629198f1d2365efdea5a3bf5863734ca625d2d57b3b6467f97b9ecc83770875

SHA512
a8e4f9f04d059fd3f030f6eff9d0bfc0bcc21fcb8f40b64feeabad197071057f1fce719395b8c4a0570087858d0a7bc7827195cf704a8ef0fb347fa04a7912c9

Download Submit
C:\Windows\winlogon.exe

Filesize
104KB

MD5
06a1197a7052f9b6faae4475b0d1cdce

SHA1
8dcbbab72925b63e9c1506352d214c70e8d57058

SHA256
541324e3063261784a6c5b181192ce6b6aa4b3b7c3cfba2ffa4c7814d3b7cde4

SHA512
7875612573823a7b2bd41cbcd63c0d960d8b07e2813800eebe751303d16aaf8453507c99ba7d5149b65c9aa6df1df64f65e266ca1603a1f00e6a6c3fa38050aa

Download Submit
memory/1856-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1856-11-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/1856-10-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/1856-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2900-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2900-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download