c00d003bdf8072037befdb98d23119917cc436ee0ecd36fecb269605bd43057b

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe
Size

47KB
MD5

0f3c47958d614b859855c711758a5df0
SHA1

40aae0308cdb8ad2dfa658a19b55968dade737fd
SHA256

c00d003bdf8072037befdb98d23119917cc436ee0ecd36fecb269605bd43057b
SHA512

d754072f7fd1adebf22e376b06ac362f22844d7643e8328ea1ca8094827aebbcffb1ec59242fe9e0288c436bc7bf519b2f90234720190a339b348e3b31a6b987
SSDEEP

768:1/z6MO8JdJfSAAWbfTC2/0Q9TEiXgKcnpn8sfEbyFXL1gP6MGHQkwIkNis:1b6MXpSAAWb7C2dTEfCsfEbyp1gvGHcB

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\Userinit.exe,C:\\Windows\\system32\\ahue.exe"	_t19463.tmp

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2552	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2036	_t19463.tmp
840	_fi9464.tmp
2748	fsutil.exe
2744	ahue.exe

Loads dropped DLL 7 IoCs

pid	Process
2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe
2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe
2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe
2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe
2036	_t19463.tmp
2036	_t19463.tmp
2744	ahue.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002e000000016c2a-66.dat	upx
behavioral1/memory/2744-68-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2036-56-0x00000000003D0000-0x00000000003D9000-memory.dmp	upx
behavioral1/files/0x0007000000016cec-54.dat	upx
behavioral1/memory/840-55-0x0000000000350000-0x0000000000359000-memory.dmp	upx
behavioral1/memory/2744-77-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2748-82-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\driver\setc\hosts	_fi9464.tmp
File created	C:\Windows\SysWOW64\driver\setc\hosts	_t19463.tmp
File created	C:\Windows\SysWOW64\ahue.exe	_t19463.tmp
File created	C:\Windows\SysWOW64\apphelp.nud	_t19463.tmp
File opened for modification	C:\Windows\SysWOW64\ahue.exe	_t19463.tmp
File opened for modification	C:\Windows\SysWOW64\apphelp.nud	_t19463.tmp

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SQLSADO.HLP	_fi9464.tmp
File opened for modification	C:\Windows\SysWOW64	_t19463.tmp
File created	C:\Windows\fsutil.exe	_fi9464.tmp
File created	C:\Windows\SQLSADO.HLP	_fi9464.tmp
File opened for modification	C:\Windows\fsutil.exe	_fi9464.tmp

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2748	fsutil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	840	_fi9464.tmp
Token: SeIncBasePriorityPrivilege	2036	_t19463.tmp
Token: SeIncBasePriorityPrivilege	2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe
2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe
2036	_t19463.tmp
2036	_t19463.tmp
840	_fi9464.tmp
840	_fi9464.tmp
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe
2748	fsutil.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2036	2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2036	2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2036	2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2036	2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	28
PID 2240 wrote to memory of 840	2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	29
PID 2240 wrote to memory of 840	2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	29
PID 2240 wrote to memory of 840	2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	29
PID 2240 wrote to memory of 840	2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	29
PID 840 wrote to memory of 2748	840	_fi9464.tmp	31
PID 840 wrote to memory of 2748	840	_fi9464.tmp	31
PID 840 wrote to memory of 2748	840	_fi9464.tmp	31
PID 840 wrote to memory of 2748	840	_fi9464.tmp	31
PID 840 wrote to memory of 2612	840	_fi9464.tmp	32
PID 840 wrote to memory of 2612	840	_fi9464.tmp	32
PID 840 wrote to memory of 2612	840	_fi9464.tmp	32
PID 840 wrote to memory of 2612	840	_fi9464.tmp	32
PID 2036 wrote to memory of 2744	2036	_t19463.tmp	30
PID 2036 wrote to memory of 2744	2036	_t19463.tmp	30
PID 2036 wrote to memory of 2744	2036	_t19463.tmp	30
PID 2036 wrote to memory of 2744	2036	_t19463.tmp	30
PID 2036 wrote to memory of 2524	2036	_t19463.tmp	33
PID 2036 wrote to memory of 2524	2036	_t19463.tmp	33
PID 2036 wrote to memory of 2524	2036	_t19463.tmp	33
PID 2036 wrote to memory of 2524	2036	_t19463.tmp	33
PID 2240 wrote to memory of 2552	2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	34
PID 2240 wrote to memory of 2552	2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	34
PID 2240 wrote to memory of 2552	2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	34
PID 2240 wrote to memory of 2552	2240	0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f3c47958d614b859855c711758a5df0_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\_t19463.tmp
  "C:\Users\Admin\AppData\Local\Temp\_t19463.tmp"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\ahue.exe
    "C:\Windows\system32\ahue.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\_t19463.tmp > nul
    3⤵
    PID:2524
- C:\Users\Admin\AppData\Local\Temp\_fi9464.tmp
  "C:\Users\Admin\AppData\Local\Temp\_fi9464.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\fsutil.exe
    "C:\Windows\fsutil.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\_fi9464.tmp > nul
    3⤵
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0F3C47~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_fi9464.tmp

Filesize
23KB

MD5
47833b2b597142651b93a212f8fbff87

SHA1
a970368b071a80f0f807bb9eebc9807674647617

SHA256
fdb0be56e2bbb877e59db307c71b597c3bf04c8f4fc8661668d968c717b739a5

SHA512
99807a798891e009fb8d6feef1b16564f9219d1780d042dfe77398f910991389ef03ed17b1ab5b3bde1bddf70ddaa3ebc8a027b655262aff831bcfc8f834d8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_t19463.tmp

Filesize
20KB

MD5
30d60a822328ad77a62199e468d03966

SHA1
42eb2953702b2df4e5dbcb7e26bc06b7cffe5e31

SHA256
86fc6d353e5723ee1c82c6a996b42772414e0da81c8db91378f7d267fa20a34c

SHA512
f03b9e2783b55cf0ad2e1ac9dd5a53c50309a917a85ebf4432a3f458bb176246ea8c7c2e4f20b7b49632c26ed4a26d898babda04b77435ddf803eae41e43de3d

Download Submit
C:\Windows\SQLSADO.HLP

Filesize
15KB

MD5
4709a750266411fa7aac67bc93004135

SHA1
320e1ce674bb258bac5f0a5b22cf951240b13cc7

SHA256
fac29a5fd0216a4e3a54b0721c0a850fbceb840a12b256e2cdf6abf59f3031d4

SHA512
470c0d8d347552258c86dfc30ff08a170d9ca9deb5911b55d8c39bf656f425408ee1c351419bc0df9941204319fceb5a100789201947d2a8dd1cc214dd018859

Download Submit
C:\Windows\SysWOW64\ahue.exe

Filesize
7KB

MD5
698500427ca50cec5dbd8698eb421bad

SHA1
490455d78ebfad2cca9037dcc2e221c3f6bed4ca

SHA256
52d10061c647ee2f3f6ad7d5fe6523726d6560040c1ad1e22cbd9ea753cbc45f

SHA512
8fd462a6de248a561ff03bc7c3f54390c41c042f58c3c492d77ce4df8984c7f86654cf82957dd891eb934487114d3e1f56b236aba7743f32914407c45536357f

Download Submit
C:\Windows\SysWOW64\apphelp.nud

Filesize
13KB

MD5
8557194945a2dc9fed9aaa7cab83186a

SHA1
b17d08ee1715bdd12af06f1d6fe45a3ea5d4c1e7

SHA256
1175c8f82fa67cfbead523aa1f51e2b9be75bedc93a1f3b7601a5a4ffd9dae12

SHA512
951d42355d1438e66aad3d20cd768dc3775660ca5890deecf7d81a9e75063ae7daf3d05e725087eafa8b01f0fa56f144caab41210d10abfde6f5ef13527e795f

Download Submit
C:\Windows\fsutil.exe

Filesize
7KB

MD5
f7a26dbebafbf6518359d2c8d4ed742a

SHA1
4d88b26fb95b6ad03b9c7979f7648a4bef7b3ea8

SHA256
d5a6286d512cf73b1bea9e86b2a296250bb4330d868932b096f70d3e39d8cf6f

SHA512
2ccf12eae4abed00c7d43df31317fd6e3f44c0b6019852c50893af105148ab8d815c5b3a5d4ee0dda2fe4b81299c22d6634469c89362edb996fa7f261eaa6eca

Download Submit
memory/840-55-0x0000000000350000-0x0000000000359000-memory.dmp

Filesize
36KB

Download
memory/840-36-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/840-63-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2036-72-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2036-65-0x00000000003D0000-0x00000000003D9000-memory.dmp

Filesize
36KB

Download
memory/2036-56-0x00000000003D0000-0x00000000003D9000-memory.dmp

Filesize
36KB

Download
memory/2036-26-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2240-69-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2240-74-0x00000000003A0000-0x00000000003B8000-memory.dmp

Filesize
96KB

Download
memory/2240-81-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2240-34-0x00000000003A0000-0x00000000003BA000-memory.dmp

Filesize
104KB

Download
memory/2240-35-0x00000000003A0000-0x00000000003BA000-memory.dmp

Filesize
104KB

Download
memory/2240-75-0x00000000003A0000-0x00000000003B8000-memory.dmp

Filesize
96KB

Download
memory/2240-25-0x00000000003A0000-0x00000000003B8000-memory.dmp

Filesize
96KB

Download
memory/2240-24-0x00000000003A0000-0x00000000003B8000-memory.dmp

Filesize
96KB

Download
memory/2240-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2744-77-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-73-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2744-76-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2744-78-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2744-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2748-70-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2748-64-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/2748-82-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2748-84-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download