c4ddc309d779a97ee858a7a2d51b00d1b4e6520936ba286ce5d9df95568788ea

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
Size

407KB
MD5

0e678cc7200d5237b10aed249321fde1
SHA1

3652ab54bd034fdc49bcfd5f5ecdc65ec0c4c127
SHA256

c4ddc309d779a97ee858a7a2d51b00d1b4e6520936ba286ce5d9df95568788ea
SHA512

fa448066c5cf2f153c23b2ac955d69d673b64a94c90cbc2f4433b0b47cacbde70d3d8ba9d9214f016cb13e5ebd0b91ef6c7faa49b2ba30b4f5aad7c7c446a78b
SSDEEP

12288:ug0Cq6x4aIhpJIew5rzWZfb6YkOVYGXKmRjVNW:uyfsJezoxkOVim

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\ProgramData\\bG20302KnHeE20302\\bG20302KnHeE20302.exe"	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1532	bG20302KnHeE20302.exe

Executes dropped EXE 1 IoCs

pid	Process
1532	bG20302KnHeE20302.exe

Loads dropped DLL 2 IoCs

pid	Process
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/616-1-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral1/memory/616-80-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral1/memory/616-101-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral1/memory/1532-104-0x0000000000400000-0x00000000004CC000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\bG20302KnHeE20302 = "C:\\ProgramData\\bG20302KnHeE20302\\bG20302KnHeE20302.exe"	bG20302KnHeE20302.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
Token: SeDebugPrivilege	1532	bG20302KnHeE20302.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 616 wrote to memory of 1532	616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe	32
PID 616 wrote to memory of 1532	616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe	32
PID 616 wrote to memory of 1532	616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe	32
PID 616 wrote to memory of 1532	616	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:616
- C:\ProgramData\bG20302KnHeE20302\bG20302KnHeE20302.exe
  "C:\ProgramData\bG20302KnHeE20302\bG20302KnHeE20302.exe" "C:\Users\Admin\AppData\Local\Temp\0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bG20302KnHeE20302\bG20302KnHeE20302

Filesize
208B

MD5
2bbc0afc468ef985ee861b9af300f4d5

SHA1
f08fc4d7e6daf7b2c51b7fee199e3582a19dbffc

SHA256
18cd868dee81ff4b25014c2902cb871abcf2c8d57f7192ed0eec831f497034be

SHA512
c19662cc9d7cf5a124ab8df3c9900ae59c621e533b1b56a75060acf64b229326787a883a12a67f52a9f2498c224af51e37d17113d8c79a30030d75b1a3860888

Download Submit
\ProgramData\bG20302KnHeE20302\bG20302KnHeE20302.exe

Filesize
407KB

MD5
d50d8cad282b9ee92221b52ade6f802d

SHA1
e2725d8a983999328f78e3fa4c870bb1a8503cc8

SHA256
286163a2c99144bcb32789ae40bfd54e05fe74f1faa4e8b2e7d595710b707e22

SHA512
32352f94f03127457803f7d2961fa535e0d5500300dc5f06950e18db60ea7d71113434a3c8724cfd2e00508653808717b8ca33bb44fddc2ecd07d46d65ea2deb

Download Submit
memory/616-0-0x0000000000250000-0x0000000000253000-memory.dmp

Filesize
12KB

Download
memory/616-1-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/616-7-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/616-80-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/616-101-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1532-103-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1532-104-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download