142e0e9affbec41b3e39693be94812e760e70910bbf82231ea82f1389324c840

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
Size

268KB
MD5

0e8e8b3feb0010cab6224a0bb86ac1c7
SHA1

b4af33aec8935347e0b73a3ffb6935151768ea58
SHA256

142e0e9affbec41b3e39693be94812e760e70910bbf82231ea82f1389324c840
SHA512

b24e88fe3704fe276ece862b17a04ca653f1bc36e83f71c8e78617ef73accd529d9e1e250cff3da2b2be36b130716b37e68805661c71f7c38d98e3552ad61b75
SSDEEP

6144:XQpW3I6/d8e+h+CFxmG7fePJxdmxzCpMy/CbN:gg3IO+h+C2sePVKz0abN

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\0E8E8B~1.EXE,"	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0E8E8B~1.EXE"	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4a80d10f = "“‚\x15M#$\x12›<Eg!…\x16¤\x05X\x19\x05}Ü¨ìØŸo\n\x04˜tåÁ\b´2eL‘9ö¨0ÌB\\À;ño·\x11\x18\x1a`µ\u008fÀ\"CDº©ÓáË÷yîÅ¶Úó·…—<Ã\v\x1dãÿÁôc\u0090æ1¡R"	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0E8E8B~1.EXE"	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
Token: SeSecurityPrivilege	2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
Token: SeSecurityPrivilege	2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
Token: SeSecurityPrivilege	2008	0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e8e8b3feb0010cab6224a0bb86ac1c7_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2008-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2008-1-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2008-3-0x0000000002260000-0x0000000002321000-memory.dmp

Filesize
772KB

Download
memory/2008-5-0x0000000002260000-0x0000000002321000-memory.dmp

Filesize
772KB

Download
memory/2008-9-0x0000000002260000-0x0000000002321000-memory.dmp

Filesize
772KB

Download
memory/2008-11-0x0000000002260000-0x0000000002321000-memory.dmp

Filesize
772KB

Download
memory/2008-7-0x0000000002260000-0x0000000002321000-memory.dmp

Filesize
772KB

Download
memory/2008-14-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2008-13-0x0000000002260000-0x0000000002321000-memory.dmp

Filesize
772KB

Download
memory/2008-15-0x0000000002470000-0x0000000002537000-memory.dmp

Filesize
796KB

Download
memory/2008-19-0x0000000002470000-0x0000000002537000-memory.dmp

Filesize
796KB

Download
memory/2008-17-0x0000000002470000-0x0000000002537000-memory.dmp

Filesize
796KB

Download
memory/2008-41-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2008-55-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-56-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-91-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-96-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-105-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-107-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-131-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-132-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-156-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-164-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-187-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-192-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-197-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-202-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-237-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-240-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-245-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-252-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-257-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-284-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-294-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-299-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-308-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-334-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-336-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-340-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-393-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-404-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-406-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2008-433-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download