90644b26edb6f82b8af979d27ed9f82eeac2027e2f283e7cbf7e3b49a2edd313

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
Size

245KB
MD5

07f7a25e73336981be470e77cbad2b6d
SHA1

e70a5e684a164895f0d6346caa18f9591318324e
SHA256

90644b26edb6f82b8af979d27ed9f82eeac2027e2f283e7cbf7e3b49a2edd313
SHA512

2bb995adddab1a927f8eeb67b1e876c2bad49e556dbd4a6e544f00f3f170c0de911f284675f53243b017dc292c4e4441a4bd012dcac1728e57aeed9885626044
SSDEEP

6144:hBCb2cOL7SLMOQi9gvjVNQQjIwfQqsDbxRA0U:hBChWIOvjV61LA0U

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\07F7A2~1.EXE,"	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\07F7A2~1.EXE"	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\43087df6 = "@Û\u008f$(Va7/XU\x04‚¥\x7f=\x13‘~°þrßh¬:Âe'¿¶ñÓ'Ò4å\x1dâËþ\x05¤²\"\b¤¨ó:‰.5¥)¤;¬séðÇI‹\x06FôŽ²\u00adå3\bˆ\u00a0\x1eïc`QåÎ\x1aôZ±KÉszIÃBÒó¡ãTªèËzÛÀ\vùƒ€«+Iù9ùáãœÓ\x19›R\x1aùƒiÁ›»ò³\x19ƒrS\t)±2’¤3Aâ\|ƒùz<úÂZÈ¢lihy3réhR¬8\x1b#³º\x14+8ˆâCã@\\©q)ÒÓ{`Ó,Ô{\x01)Ñák¢˜{SªÜQ\b1àÙèùÑ:±Ë°Ø‘C\"\x12\x1aŠ¹jüS\x1ch(©p3Bc¹a\x02\x18‰\x02\u00a022ºó\v’\x01\"\x10kq;³È°z\x13\x19\u00a0\"Ã3\n"	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\07F7A2~1.EXE"	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
Token: SeSecurityPrivilege	5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
Token: SeSecurityPrivilege	5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
Token: SeSecurityPrivilege	5044	07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07f7a25e73336981be470e77cbad2b6d_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5044-0-0x000000007FDE0000-0x000000007FE49000-memory.dmp

Filesize
420KB

Download
memory/5044-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5044-2-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/5044-3-0x00000000022E0000-0x0000000002392000-memory.dmp

Filesize
712KB

Download
memory/5044-4-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/5044-5-0x0000000002920000-0x00000000029D8000-memory.dmp

Filesize
736KB

Download
memory/5044-7-0x0000000002920000-0x00000000029D8000-memory.dmp

Filesize
736KB

Download
memory/5044-9-0x0000000002920000-0x00000000029D8000-memory.dmp

Filesize
736KB

Download
memory/5044-58-0x000000007FDE0000-0x000000007FE49000-memory.dmp

Filesize
420KB

Download
memory/5044-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5044-62-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/5044-66-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/5044-84-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download