d9e8665233ba7186d7b4be33e1d594f11eaa118bdfc9c36f72891dbfceaa260a

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 21:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
Size

272KB
MD5

0f94263e89fe3eb9e2b81d91061e8121
SHA1

2b831c5ae3797f81f2f6f8e14624340c82ac23a1
SHA256

d9e8665233ba7186d7b4be33e1d594f11eaa118bdfc9c36f72891dbfceaa260a
SHA512

3b1828eca8f4e2fe728b8fffa1d01bf4c69a63dfdcbab715d68a516e526079ca5b54faa1ae7294b88e52961053632c032bf226b045d40b45118c46ac970d187e
SSDEEP

6144:KxP+vFrIB6auKY+fjZkCcU4Kz9262WfJEAuFTbrG:KxP+vNQuKY8kCD4WxEdFT3G

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\0F9426~1.EXE,"	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0F9426~1.EXE"	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4b86df57 = "Ïit\a\x10}ê›yÂ(ð²2ñ\x12»\x02_mÙ[<\u00a0ŠpÑ\x0eÇ„6G=æ\x05=bIQFs¥»¤\u00advÙ¥‡ê\x05Z\n]ÛW\x01â\x03n’e\x10¡êâ¿_RjšÙ&ú..\u0090K”Ë4…b8\x13\x12³`ë\x18¼\x03ÓÓH«{@zÚ;rðË¼\x18ëÊË<R´k´ku{zÊ3•¼À;“›ü«ƒÌsêKh{ÈãPÄ@P\x03\x02Ðý³sÀýhÜt³¸3k"	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0F9426~1.EXE"	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
Token: SeSecurityPrivilege	2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
Token: SeSecurityPrivilege	2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
Token: SeSecurityPrivilege	2932	0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f94263e89fe3eb9e2b81d91061e8121_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2932-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2932-1-0x000000007EF40000-0x000000007EFA9000-memory.dmp

Filesize
420KB

Download
memory/2932-2-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2932-3-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2932-4-0x00000000009B0000-0x0000000000A62000-memory.dmp

Filesize
712KB

Download
memory/2932-6-0x00000000009B0000-0x0000000000A62000-memory.dmp

Filesize
712KB

Download
memory/2932-14-0x00000000009B0000-0x0000000000A62000-memory.dmp

Filesize
712KB

Download
memory/2932-12-0x00000000009B0000-0x0000000000A62000-memory.dmp

Filesize
712KB

Download
memory/2932-10-0x00000000009B0000-0x0000000000A62000-memory.dmp

Filesize
712KB

Download
memory/2932-15-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2932-8-0x00000000009B0000-0x0000000000A62000-memory.dmp

Filesize
712KB

Download
memory/2932-16-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-18-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-20-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-41-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-46-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-40-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-42-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-43-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-44-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-73-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-45-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-47-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-49-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-48-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-50-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-51-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-52-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-54-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-53-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-55-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-56-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-84-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-83-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-82-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-81-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-80-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-79-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-78-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-77-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-76-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-75-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-74-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-72-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-71-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-70-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-69-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-68-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-67-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-66-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-65-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-64-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-63-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-62-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-61-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-60-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-59-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-58-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-57-0x0000000002360000-0x0000000002418000-memory.dmp

Filesize
736KB

Download
memory/2932-168-0x000000007EF40000-0x000000007EFA9000-memory.dmp

Filesize
420KB

Download
memory/2932-169-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download