7300747c1dc00004d4038cb320d2c59d6931606d03f8e476168ebf49cb060962

Analysis

max time kernel
151s
max time network
139s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 05:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
Size

268KB
MD5

2132be2b5e4a551635114748e33af17d
SHA1

f26c8bf68d3a0f3879d632d24ecbc0754b5ec9fd
SHA256

7300747c1dc00004d4038cb320d2c59d6931606d03f8e476168ebf49cb060962
SHA512

d5f6d7b612fad61750dde38955f5200dde6de779ee60c70d75f89e858ac3a88eef008cb9fc8981b2cc8000a9af7b5ba54123319292c5a6e8bc21dd956e28ed2e
SSDEEP

6144:+Rkn+alqMqDoV0L29KQWFte1RfUuSDe+ArH:+Rg+allJ0LcKNyR3SM

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\2132BE~1.EXE,"	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2132BE~1.EXE"	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\43c158ef = "ñ\b\x15¤Vã9µh_ï\r\x13¥ƒ¥ùå \aˆÞQ~šÓ\x05ÇèdgT5ßØÂ³¡§¨÷öŸÆ¸ÿ—[wröK˜\x17\x06Y\x19ÉŽ\x1ax\x14•¶À:ù…zç ‚â±W\u0090#\u0090‚Ó·Ò_úáâíZQÙ\x04QS\u008d™ÊÊiò5Qâå\"‰#ò…QÁ\u0081T)siQ•ÁÑ9\x1bÊ«\x1a:5\x12Zq\x19réºâ\r\x02“\"ºJRcÝÓ\x11\x02±±\x1dÚy\x011:l™Iñ<‚šyáõ¡‘Y£µsš[cÑñÓí:BI\x02!\"ôäÒ\tÍaÂDd¤:J\x1cŠ\x1a£a«I\"¹š»´ƒ©É±\u00adšEjr\x1aá›ÝŠ\x02*\x1cÑq\u0081T\x19…\x01[«›b“´a\réZª¢TâIiu½’ÉJÊ\x02„\vZŒ"	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2132BE~1.EXE"	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
Token: SeSecurityPrivilege	1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
Token: SeSecurityPrivilege	1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
Token: SeSecurityPrivilege	1768	2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2132be2b5e4a551635114748e33af17d_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1768-0-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/1768-1-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/1768-2-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1768-4-0x00000000021B0000-0x0000000002262000-memory.dmp

Filesize
712KB

Download
memory/1768-14-0x00000000021B0000-0x0000000002262000-memory.dmp

Filesize
712KB

Download
memory/1768-12-0x00000000021B0000-0x0000000002262000-memory.dmp

Filesize
712KB

Download
memory/1768-10-0x00000000021B0000-0x0000000002262000-memory.dmp

Filesize
712KB

Download
memory/1768-8-0x00000000021B0000-0x0000000002262000-memory.dmp

Filesize
712KB

Download
memory/1768-15-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/1768-6-0x00000000021B0000-0x0000000002262000-memory.dmp

Filesize
712KB

Download
memory/1768-20-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-18-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-16-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-46-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-45-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-50-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-53-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-48-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-47-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-66-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-80-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-86-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-42-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-87-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-85-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-84-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-82-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-81-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-79-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-78-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-76-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-74-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-73-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-71-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-70-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-68-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-67-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-65-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-63-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-62-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-61-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-59-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-58-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-57-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-55-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-54-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-52-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-51-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-49-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-83-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-77-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-75-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-72-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-69-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-64-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-60-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-56-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-44-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-43-0x00000000026C0000-0x0000000002778000-memory.dmp

Filesize
736KB

Download
memory/1768-170-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/1768-172-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download