3eac0303c3f40f0158ae9660066d8ef6e544ad6b4c8fc2e544a340591b71ca59

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c017a0e541154214da79de98367c230_JaffaCakes118.exe
Size

268KB
MD5

1c017a0e541154214da79de98367c230
SHA1

4a2b947a9fe9ca3b53053da7c1ffdd925bc44ff0
SHA256

3eac0303c3f40f0158ae9660066d8ef6e544ad6b4c8fc2e544a340591b71ca59
SHA512

fc1edc241a83279af6bbf4112df6e075045b941b443a8523cb68e6b6d1f1ceae5f210179faa5cc40a1eb2e026d3688f2172432e3e270e5f76cf0755fd7c0377a
SSDEEP

6144:umqdkubHbhJr6GR9KrOd6zk2DRRZv1U8IVjhBuOjlbfOqW2k:utKQNhcrObARRfUvVjhBPjYb2

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\1C017A~1.EXE,"	1c017a0e541154214da79de98367c230_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1C017A~1.EXE"	1c017a0e541154214da79de98367c230_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\2e8210cd = "Ÿi±\a‡žø\x02\x17Ì57«\u00adm\x14%rfEÆƒùÑ“^l–Ø¯&¤²a€\x01R\u009dÒzõ¨€o\\ÜPñpòi.\x1d\"\b\x7fð‚\x1d\x06}5`V\añÂ¾¼lL„g\x14 pÑ{;=#\tÕ\x16A\u00adœ\x15#\f!ÚåJª5\u008d\u008dœ…=‹Ú\r-iz\x01]òkšeR\x15©)UKÂU³ù³Ú}óÒÜ\u00adù»üåA\fBZ5yÊ³<\x19ui\u00adœDÓ\x05[“1ýqcc5Qû\x1a=-râŠ3LêuÊe¥Ùäu\v#õá\x15Ú’uš•š\x1d+…A\x1a´»}ãšµ¤\x1ds\x05•=ú:R\x15Ú\x02¼e\x14’yz¬ÍEÍ\x02\x1at•bM5ì\"*ÒzRêñ•\u008d³\x05“Õ}ã\tº\x1b\x02l\x1d\x129\x15\x05“\"u:šÁ"	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1C017A~1.EXE"	1c017a0e541154214da79de98367c230_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
Token: SeSecurityPrivilege	1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
Token: SeSecurityPrivilege	1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe
Token: SeSecurityPrivilege	1744	1c017a0e541154214da79de98367c230_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1c017a0e541154214da79de98367c230_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c017a0e541154214da79de98367c230_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1744-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1744-1-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/1744-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1744-13-0x00000000022C0000-0x0000000002381000-memory.dmp

Filesize
772KB

Download
memory/1744-11-0x00000000022C0000-0x0000000002381000-memory.dmp

Filesize
772KB

Download
memory/1744-14-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/1744-9-0x00000000022C0000-0x0000000002381000-memory.dmp

Filesize
772KB

Download
memory/1744-7-0x00000000022C0000-0x0000000002381000-memory.dmp

Filesize
772KB

Download
memory/1744-5-0x00000000022C0000-0x0000000002381000-memory.dmp

Filesize
772KB

Download
memory/1744-3-0x00000000022C0000-0x0000000002381000-memory.dmp

Filesize
772KB

Download
memory/1744-15-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-19-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-18-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-41-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-43-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-42-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-56-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-45-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-46-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-65-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-47-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-69-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-48-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-49-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-62-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-77-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-50-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-82-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-51-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-58-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-44-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-87-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-86-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-84-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-83-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-81-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-80-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-79-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-78-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-76-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-75-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-74-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-73-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-72-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-71-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-70-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-68-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-67-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-66-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-64-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-63-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-61-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-60-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-59-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-57-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-55-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-54-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-53-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-52-0x0000000002490000-0x0000000002557000-memory.dmp

Filesize
796KB

Download
memory/1744-169-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download